Skip to content

[#342] Prevent shell injection in RemoteOps.Execute#343

Merged
yersan merged 1 commit into
wildfly:mainfrom
jmesnil:342_ExecuteMgmtOp_execution
Jun 11, 2026
Merged

[#342] Prevent shell injection in RemoteOps.Execute#343
yersan merged 1 commit into
wildfly:mainfrom
jmesnil:342_ExecuteMgmtOp_execution

Conversation

@jmesnil

@jmesnil jmesnil commented Jun 11, 2026

Copy link
Copy Markdown
Member

Change Execute command parameter from string to []string so the command is passed directly to PodExecOptions without implicit shell wrapping. Callers that need shell features (env var expansion, redirects, logical operators) now explicitly use /bin/sh -c with positional parameters to keep untrusted input out of the shell command string.

Fixes #342

Change Execute command parameter from string to []string so the command
is passed directly to PodExecOptions without implicit shell wrapping.
Callers that need shell features (env var expansion, redirects, logical
operators) now explicitly use /bin/sh -c with positional parameters to
keep untrusted input out of the shell command string.

Fixes wildfly#342

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jmesnil jmesnil requested a review from yersan June 11, 2026 09:30
@yersan yersan merged commit 1e982df into wildfly:main Jun 11, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ExecuteMgmtOp builds shell command via fmt.Sprintf with single-quote wrapping

2 participants