Skip to content

fix(security): prevent shell injection in _expand_path via ~user path suffix#2685

Merged
teknium1 merged 1 commit intomainfrom
hermes/hermes-28b19313
Mar 23, 2026
Merged

fix(security): prevent shell injection in _expand_path via ~user path suffix#2685
teknium1 merged 1 commit intomainfrom
hermes/hermes-28b19313

Conversation

@teknium1
Copy link
Copy Markdown
Contributor

@teknium1 teknium1 commented Mar 23, 2026

Salvage of PR #2047 by @Gutslabs — cherry-picked with authorship preserved.

What

_expand_path() passed the full unquoted path to echo via shell when handling ~username/... paths. The username was validated with regex, but the path suffix was not — allowing command substitution in the suffix.

Before: echo ~root/$(id) → shell executes $(id)
After: echo ~root → get home dir, then append /$(id) as plain string in Python

All ~ expansion still works identically for legitimate paths:

  • ~ → $HOME
  • ~/foo → $HOME/foo
  • ~root/foo → /root/foo (expanded safely)

Test plan

  • 6044 tests pass, 0 failures
@teknium1
fix(security): prevent shell injection in _expand_path via ~user path…
1508f9e 
… suffix

echo was called with the full unquoted path (~username/suffix), allowing
command substitution in the suffix (e.g. ~user/$(malicious)) to execute
arbitrary shell commands. The fix expands only the validated ~username
portion via the shell and concatenates the suffix as a plain string.
@teknium1 teknium1 merged commit 73a88a0 into main Mar 23, 2026
1 check passed
@teknium1 teknium1 mentioned this pull request Mar 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@teknium1