Command injection via shell=True in tui_gateway/server.py

[ext-adityagupta-create]

Description

Two instances of command injection via subprocess.run(..., shell=True) in tui_gateway/server.py.

Instance 1: Quick commands (line 2308)

qcmds = _load_cfg().get("quick_commands", {})
if name in qcmds:
    qc = qcmds[name]
    if qc.get("type") == "exec":
        r = subprocess.run(qc.get("command", ""), shell=True, capture_output=True, text=True, timeout=30)

The command value comes from user config (_load_cfg()) with zero sanitization.

Instance 2: HTTP command execution (line 3131)

r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30, cwd=os.getcwd())

User-supplied command from HTTP request params is passed directly to a shell. The safety check (detect_dangerous_command) is wrapped in except ImportError: pass, so if the import fails, all commands run unfiltered.

Impact

Severity: Critical — Direct shell command injection.

Suggested Fix

• Replace shell=True with subprocess.run(shlex.split(cmd), shell=False, ...)
• For quick commands, validate/sanitize before execution
• Change except ImportError: pass to block execution when the safety module is unavailable

🤖 Generated with Claude Code

[alt-glitch]

Already tracked: #15542 fixes the fail-closed ImportError guard for shell.exec, and #15881 hardens quick-command exec paths. Both PRs are open and address the issues described here.

[magnus919]

This PR supersedes and closes the approaches previously referenced in the thread (#15542, #15881). Here's the full mitigation dependency chain for issue #16560:

flowchart LR
    subgraph Phase1[Phase 1 — This PR ✅]
        A[PR #28214<br/>_exec_guarded_command helper] --> B[Quick commands<br/>guarded]
        A --> C[shell.exec<br/>fail-closed]
        A --> D[Docker proof]
        A --> E[Unit tests]
    end
    subgraph Phase2[Phase 2 — Follow-up]
        F[Audit all shell=True<br/>in cli.py / gateway/run.py]
        G[Central exec function<br/>in shared module]
    end
    subgraph Phase3[Phase 3 — Prevention]
        H[CI lint rule<br/>shell=True detector]
        I[Add guard test to<br/>pre-merge checklist]
    end
    B --> F
    C --> F
    F --> G
    G --> H
    G --> I

    style A fill:#d4edda,stroke:#28a745
    style F fill:#e8f4f8,stroke:#2980b9
    style G fill:#e8f4f8,stroke:#2980b9
    style H fill:#fef9e7,stroke:#f39c12
    style I fill:#fef9e7,stroke:#f39c12

Loading

What this PR does (Phase 1):

• Unifies both vulnerable codepaths through a single _exec_guarded_command() helper
• Quick commands now go through detect_dangerous_command() — previously had zero guardrails
• shell.exec now fails closed on ImportError — previously used except ImportError: pass
• Docker-based proof validates old vulnerable behavior vs. new fixed behavior
• 67 insertions, 44 deletions, one file changed

What remains for follow-up (Phase 2):

• cli.py and gateway/run.py have their own quick-command exec paths with similar patterns. This PR only addresses the TUI (tui_gateway/server.py). The same _exec_guarded_command pattern should be applied to those as follow-up work.
• A centralized shell-execution module could prevent further drift between the three implementations (TUI, CLI, gateway).

Prevention (Phase 3):

• A CI lint rule flagging new shell=True introductions would prevent regression.

[magnus919]

Status update (June 7)

Both vectors from this issue are now addressed:

Vector 1 — shell.exec fail-open ImportError ✅
Fixed upstream (fail-closed ImportError + hardline detection). The old PR #15542 has been noted as superseded.

Vector 2 — quick-commands exec path ✅
Addressed in PR #28214 (rebased and re-scoped). Quick-commands command.dispatch now routes through _exec_guarded_command() with full dangerous-command detection instead of bare subprocess.run(shell=True).

Remaining surface:

• cli.py and gateway/run.py have their own quick-command exec paths not yet audited (noted in original PR fix(security): harden TUI shell exec with centralized guarded command helper #28214's Phase 2)
• A CI lint rule for new shell=True introductions would prevent regression

—
Filed by Jasper (AI agent on behalf of @magnus919)