Skip to content

Sanitize Windows harness prompt arguments#279

Merged
BunsDev merged 1 commit into
mainfrom
codex/propose-fix-for-windows-.cmd-vulnerability
Jul 1, 2026
Merged

Sanitize Windows harness prompt arguments#279
BunsDev merged 1 commit into
mainfrom
codex/propose-fix-for-windows-.cmd-vulnerability

Conversation

@BunsDev

@BunsDev BunsDev commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

  • The Windows platform resolver can return .cmd shim executables (e.g. from spawn_executable_for_platform), which are invoked through cmd.exe and therefore require metacharacter neutralization to avoid shell interpretation of user-controlled prompt text.
  • Some code paths were appending the effective prompt (resume/stream paths) without calling the existing sanitizer, leaving a command-injection risk on Windows when a resolved .cmd shim is executed.

Description

  • Apply sanitize_argv_for_platform to the conversation-continuity (resume) branch in crates/coven-cli/src/harness.rs so the effective_prompt is sanitized before returning launch args.
  • Make sanitize_argv_for_platform pub(crate) so it can be reused across the crate.
  • Update crates/coven-cli/src/pty_runner.rs's stream_claude* path to construct an owned Vec<String>, append the prompt, call crate::harness::sanitize_argv_for_platform, and pass the sanitized args to Command::args (removing the prior unsanitized .arg(prompt)).

Testing

  • Ran code formatting with cargo fmt and git diff --check, both succeeded.
  • Ran unit tests: cargo test -p coven-cli claude_resume_hint_attaches_resume_flag_in_print_mode passed.
  • Ran integration/unit tests: cargo test -p coven-cli stream_claude_forwards_jsonl_and_returns_exit_code passed and cargo test -p coven-cli stream_claude_resumes_with_resume_flag_not_session_id passed.

Codex Task

Copilot AI review requested due to automatic review settings June 30, 2026 19:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens Windows harness invocation by ensuring user-controlled prompt text is sanitized before being passed as argv when the resolved harness executable is a .cmd shim (invoked via cmd.exe), closing command-injection risk paths.

Changes:

  • Apply sanitize_argv_for_platform to the continuity/resume path in command_parts_for_harness_with_conversation so the effective_prompt is sanitized before being returned as launch args.
  • Make sanitize_argv_for_platform pub(crate) for reuse across the crate.
  • Update pty_runner::stream_claude* to build an owned Vec<String>, append prompt, sanitize the full argv, and pass it via Command::args (removing the prior unsanitized .arg(prompt)).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
crates/coven-cli/src/harness.rs Sanitizes the effective prompt for the continuity/resume branch and exposes the sanitizer for crate-wide reuse.
crates/coven-cli/src/pty_runner.rs Ensures stream-mode Claude invocation sanitizes the appended prompt before spawning on Windows.
Comments suppressed due to low confidence (1)

crates/coven-cli/src/harness.rs:551

  • On Windows, this sanitizer injects surrounding double-quotes into the argument value and escapes embedded quotes as \\". When the resolved harness is a .cmd shim, std::process::Command will build a cmd.exe command line and may backslash-escape these quotes, but cmd.exe does not treat backslashes as an escape character. This can break tokenization and potentially re-enable cmd metacharacter interpretation for user-controlled prompt text.

Safer approach: avoid adding quotes into the arg value and instead caret-escape cmd.exe metacharacters (including ") so cmd.exe receives the intended literal text.

pub(crate) fn sanitize_argv_for_platform(args: Vec<String>) -> Vec<String> {
    // Characters that cmd.exe treats as special even inside double quotes
    // when the outer caller is cmd.exe itself (i.e. when running a .cmd shim).
    const CMD_METACHARACTERS: &[char] = &['&', '|', '<', '>', '^', '%', '!'];
    args.into_iter()

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@BunsDev BunsDev force-pushed the codex/propose-fix-for-windows-.cmd-vulnerability branch from f3d954c to 66a8bd8 Compare June 30, 2026 20:28
@BunsDev BunsDev force-pushed the codex/propose-fix-for-windows-.cmd-vulnerability branch from 66a8bd8 to 7e6aa3b Compare June 30, 2026 20:40
@BunsDev BunsDev merged commit 78f8750 into main Jul 1, 2026
14 checks passed
@BunsDev BunsDev deleted the codex/propose-fix-for-windows-.cmd-vulnerability branch July 1, 2026 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants