From 10df136860a6b56e5c4392db9b5ff7d0ce5e016b Mon Sep 17 00:00:00 2001
From: TrueAlpha-spiral <199723968+TrueAlpha-spiral@users.noreply.github.com>
Date: Sat, 25 Apr 2026 19:02:09 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Fix=20Command=20Injection=20in?=
 =?UTF-8?q?=20Sandbox=20Setup?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🎯 What: Fixed a command injection vulnerability when setting up the sandbox proxy.
⚠️ Risk: A malicious user or unexpected environment variable could inject arbitrary commands via 'config.command' passed into execSync.
🛡️ Solution: Migrated from execSync (which uses a shell) to execFileSync, passing arguments securely as an array.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 packages/cli/src/utils/sandbox.ts | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/packages/cli/src/utils/sandbox.ts b/packages/cli/src/utils/sandbox.ts
index 95f23d82075..6459e3c1447 100644
--- a/packages/cli/src/utils/sandbox.ts
+++ b/packages/cli/src/utils/sandbox.ts
@@ -4,7 +4,13 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { exec, execSync, spawn, type ChildProcess } from 'node:child_process';
+import {
+  exec,
+  execSync,
+  execFileSync,
+  spawn,
+  type ChildProcess,
+} from 'node:child_process';
 import os from 'node:os';
 import path from 'node:path';
 import fs from 'node:fs';
@@ -784,7 +790,11 @@ export async function start_sandbox(
       // install handlers to stop proxy on exit/signal
       const stopProxy = () => {
         console.log('stopping proxy container ...');
-        execSync(`${config.command} rm -f ${SANDBOX_PROXY_NAME}`);
+        try {
+          execFileSync(config.command, ['rm', '-f', SANDBOX_PROXY_NAME]);
+        } catch (_e) {
+          /* Ignore error */
+        }
       };
       process.on('exit', stopProxy);
       process.on('SIGINT', stopProxy);