Skip to content

Backlog/v12 soar fixes#2316

Open
AlexSanchez-bit wants to merge 5 commits into
release/v12.0.0from
backlog/v12_soar_fixes
Open

Backlog/v12 soar fixes#2316
AlexSanchez-bit wants to merge 5 commits into
release/v12.0.0from
backlog/v12_soar_fixes

Conversation

@AlexSanchez-bit

Copy link
Copy Markdown
Contributor

No description provided.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

🛑 AI review — Engineer review required

This PR touches critical paths or introduces changes the model cannot judge with sufficient confidence. @Kbayero @osmontero please review.

🛑 architecture (gemini-3-flash-lite) — blocking — must fix before merge

Summary: Introduces conditional command chaining in SOAR flows, changing the command execution contract and potentially breaking existing agent-side command processing.

  • high backend/modules/soar/usecase/execution.go:63 — The assembleChain function changes how commands are dispatched to agents by introducing shell operators (&&, ||, ;). If agents expect a single command string or a specific format, this change in the wire protocol/execution contract may break existing agent implementations.
  • medium backend/modules/soar/dto/rule.go:20 — The Commands field in CreateRuleRequest and UpdateRuleRequest has been changed from []string to []dto.FlowCommandVM. This is a breaking API contract change for any external integrations or frontend clients relying on the previous schema.
  • medium backend/modules/soar/domain/filter.go:6 — Significant expansion of OperatorType constants. Ensure that all existing SOAR rules in production are compatible with these new operators and that the backend logic handles these new types safely.

bugs (gemini-3-flash-lite) — clean

Summary: Introduced SOAR command chaining with conditional operators and template support; logic appears sound with appropriate fallbacks.

No findings.

🛑 security (gemini-3-flash-lite) — blocking — must fix before merge

Summary: Introduction of shell command chaining logic in SOAR module, potentially enabling command injection if user-provided inputs are not strictly sanitized before execution.

  • high backend/modules/soar/usecase/execution.go:68 — The assembleChain function concatenates user-defined commands into a single shell string using shell operators (&&, ||, ;). If the 'command' field in FlowCommandVM is not strictly validated against a whitelist or sanitized to prevent shell metacharacter injection, this allows arbitrary command execution on the target agent.

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — AI review found blocking issues (high/critical, or engineer review required). See above.

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — AI review found blocking issues (high/critical, or engineer review required). See above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant