Skip to content

πŸ›‘οΈ Sentinel: [MEDIUM] Fix shell injection vulnerability in fix_env.py #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abhimehro merged 1 commit into from
Jan 18, 2026
Merged

πŸ›‘οΈ Sentinel: [MEDIUM] Fix shell injection vulnerability in fix_env.py #112

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion fix_env.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,18 @@

# Helper to clean quotes (curly or straight)
def clean_val(val):
if not val: return ""

Check warning

Code scanning / Pylintpython3 (reported by Codacy)

More than one statement on a single line Warning

More than one statement on a single line
# Remove surrounding quotes of any kind
val = val.strip()
val = re.sub(r'^[\"\u201c\u201d\']|[\"\u201c\u201d\']$', '', val)
return val

# Helper to escape value for shell
def escape_val(val):

Check warning

Code scanning / Pylint (reported by Codacy)

Missing function docstring Warning

Missing function docstring
if not val: return ""

Check warning

Code scanning / Pylint (reported by Codacy)

More than one statement on a single line Warning

More than one statement on a single line
# Escape backslashes first, then double quotes
return val.replace('\\', '\\\\').replace('"', '\\"')
Comment on lines +23 to +24
Copy link

Copilot AI Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The escape_val function does not escape dollar signs ($) or backticks (). When the .env file is sourced by a shell, values containing these characters within double quotes can still trigger variable expansion or command substitution, potentially leading to security issues. Consider escaping $ as \$ and as ` to prevent unintended shell interpretation.

Suggested change
# Escape backslashes first, then double quotes
return val.replace('\\', '\\\\').replace('"', '\\"')
# Escape backslashes first, then double quotes, dollar signs, and backticks
return (
val.replace('\\', '\\\\')
.replace('"', '\\"')
.replace('$', '\\$')
.replace('`', '\\`')
)

Copilot uses AI. Check for mistakes.
Comment on lines +21 to +24
Copy link

Copilot AI Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The escape_val function and its security-critical escaping logic lack test coverage. Given that this fix addresses a shell injection vulnerability, it would be valuable to add tests that verify the escaping works correctly for various edge cases including values with double quotes, backslashes, dollar signs, backticks, and newlines. Consider adding a test file like test_fix_env.py with test cases for the escape_val function.

Copilot uses AI. Check for mistakes.
Comment on lines +23 to +24
Copy link

Copilot AI Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The escape_val function does not handle newline characters or other control characters. If real_token or real_profiles contain newlines (e.g., from malicious input or data corruption), the generated .env file will be malformed. Consider escaping newlines as \n, carriage returns as \r, and tabs as \t to ensure the .env file remains valid.

Suggested change
# Escape backslashes first, then double quotes
return val.replace('\\', '\\\\').replace('"', '\\"')
# Escape backslashes first, then control characters, then double quotes
val = val.replace('\\', '\\\\')
val = val.replace('\n', '\\n').replace('\r', '\\r').replace('\t', '\\t')
return val.replace('"', '\\"')

Copilot uses AI. Check for mistakes.

lines = content.splitlines()
parsed = {}

Expand Down Expand Up @@ -50,7 +56,7 @@
if not real_profiles: real_profiles = profile_val

# Write back with standard quotes
new_content = f'TOKEN="{real_token}"\nPROFILE="{real_profiles}"\n'
new_content = f'TOKEN="{escape_val(real_token)}"\nPROFILE="{escape_val(real_profiles)}"\n'

with open('.env', 'w') as f:
f.write(new_content)
Expand Down
Loading