fix(parser): prevent unintended command execution via unmatched ')'#60
Conversation
|
CI workflow has been updated on master (Go 1.25/1.26, latest GitHub Actions). Please rebase your branch onto master to pick up the CI fix: Also, after rebasing, CI will reveal two existing test failures caused by this PR:
Please fix these before the PR can be reviewed further. |
Updated dollarQuote handling to prevent toggling on bare ')' characters.
Add tests for shellwords parser handling of unmatched and bare closing parentheses, command substitutions, and error cases.
649c7e4 to
735b5e8
Compare
|
Rebased onto latest master and updated the fix:
All tests pass locally. |
|
One test failing |
|
Fixed the failing test. The previous CI run did not include the complete changes. Updated both parser logic and tests; behavior is now consistent with upstream expectations. All tests pass locally. Thanks! |
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #60 +/- ##
==========================================
- Coverage 90.19% 90.04% -0.16%
==========================================
Files 2 3 +1
Lines 204 241 +37
==========================================
+ Hits 184 217 +33
- Misses 14 16 +2
- Partials 6 8 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
All tests are passing now. Let me know if you'd like additional coverage for any specific branch. |
|
Thank you for the fix! Merging this now. |
The merged security fix (#60) treated bare ')' as a literal when ParseBacktick=false, but as an error when ParseBacktick=true. Unify the behavior: bare ')' is always a syntax error, consistent with how bare '(' is already handled.
fix(parser): prevent unintended command execution via unmatched ')'
Summary
This change fixes a parser state machine flaw that allowed unintended command execution and parsing corruption when processing input containing unmatched ')' characters.
Root Cause
The parser previously toggled the internal
dollarQuotestate unconditionally upon encountering a ')' character, without verifying that a corresponding '$(' sequence had opened the state.This created an asymmetry in the state machine:
As a result, a bare ')' could incorrectly open a command substitution context.
Impact
Command Execution (when ParseBacktick=true)
Crafted input such as:
could trigger execution via:
Denial of Service
Short inputs (e.g.
))) could trigger:Parsing Corruption (default configuration)
Unmatched ')' caused silent corruption of tokenization by incorrectly entering dollar-quote mode.
Fix
The fix enforces strict state transitions:
dollarQuote$(contextChanges
with guarded logic:
Behavior After Fix
$(...)→ works as expected)(unmatched) → treated as literalTests
Added security-focused tests covering:
)))$(...)substitution still works$(Security
This change addresses a command injection vulnerability caused by incorrect parser state handling (CWE-94), along with related robustness issues.
Notes
Upstream repository appears inactive; this patch is applied as part of a maintained fork with security fixes.