From 4cb01fd482dc03898299df8dc2bbd20c167dfd0c Mon Sep 17 00:00:00 2001
From: fr4iser <pa.boe90@gmail.com>
Date: Sat, 28 Feb 2026 20:40:05 +0100
Subject: [PATCH] security: Fix command injection vulnerability in
 statusline.cjs

- Add input validation for command parameter
- Check for dangerous shell metacharacters
- Allow only safe command patterns
---
 .claude/helpers/statusline.cjs | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.claude/helpers/statusline.cjs b/.claude/helpers/statusline.cjs
index 602907f..0f4b1e5 100644
--- a/.claude/helpers/statusline.cjs
+++ b/.claude/helpers/statusline.cjs
@@ -47,8 +47,27 @@ const c = {
 };
 
 // Safe execSync with strict timeout (returns empty string on failure)
+// Validates command to prevent command injection
 function safeExec(cmd, timeoutMs = 2000) {
   try {
+    // Validate command to prevent command injection
+    // Only allow commands that match safe patterns (no shell metacharacters)
+    if (typeof cmd !== 'string') {
+      return '';
+    }
+    
+    // Check for dangerous shell metacharacters that could allow injection
+    const dangerousChars = /[;&|`$(){}[\]<>'"\\]/;
+    if (dangerousChars.test(cmd)) {
+      // If dangerous chars found, only allow if it's a known safe pattern
+      // Allow 'sh -c' with single-quoted script (already escaped)
+      const safeShPattern = /^sh\s+-c\s+'[^']*'$/;
+      if (!safeShPattern.test(cmd)) {
+        console.warn('safeExec: Command contains potentially dangerous characters');
+        return '';
+      }
+    }
+    
     return execSync(cmd, {
       encoding: 'utf-8',
       timeout: timeoutMs,