MCPcopy Index your code
hub / github.com/codeaashu/claude-code / validateMalformedTokenInjection

Function validateMalformedTokenInjection

src/tools/BashTool/bashSecurity.ts:1082–1128  ·  view source on GitHub ↗

* Detects commands with malformed tokens (unbalanced delimiters) combined with * command separators. This catches potential injection patterns where ambiguous * shell syntax could be exploited. * * Security: This check catches the eval bypass discovered in HackerOne review. * When shell-quote p

(
  context: ValidationContext,
)

Source from the content-addressed store, hash-verified

1080 * what will be executed before approving.
1081 */
1082function validateMalformedTokenInjection(
1083 context: ValidationContext,
1084): PermissionResult {
1085 const { originalCommand } = context
1086
1087 const parseResult = tryParseShellCommand(originalCommand)
1088 if (!parseResult.success) {
1089 // Parse failed - this is handled elsewhere (bashToolHasPermission checks this)
1090 return {
1091 behavior: 'passthrough',
1092 message: 'Parse failed, handled elsewhere',
1093 }
1094 }
1095
1096 const parsed = parseResult.tokens
1097
1098 // Check for command separators (;, &&, ||)
1099 const hasCommandSeparator = parsed.some(
1100 entry =>
1101 typeof entry === 'object' &&
1102 entry !== null &&
1103 'op' in entry &&
1104 (entry.op === ';' || entry.op === '&&' || entry.op === '||'),
1105 )
1106
1107 if (!hasCommandSeparator) {
1108 return { behavior: 'passthrough', message: 'No command separators' }
1109 }
1110
1111 // Check for malformed tokens (unbalanced delimiters)
1112 if (hasMalformedTokens(originalCommand, parsed)) {
1113 logEvent('tengu_bash_security_check_triggered', {
1114 checkId: BASH_SECURITY_CHECK_IDS.MALFORMED_TOKEN_INJECTION,
1115 subId: 1,
1116 })
1117 return {
1118 behavior: 'ask',
1119 message:
1120 'Command contains ambiguous syntax with command separators that could be misinterpreted',
1121 }
1122 }
1123
1124 return {
1125 behavior: 'passthrough',
1126 message: 'No malformed token injection detected',
1127 }
1128}
1129
1130function validateObfuscatedFlags(context: ValidationContext): PermissionResult {
1131 // Block shell quoting bypass patterns used to circumvent negative lookaheads we use in our regexes to block known dangerous flags

Callers

nothing calls this directly

Calls 3

tryParseShellCommandFunction · 0.85
hasMalformedTokensFunction · 0.85
logEventFunction · 0.85

Tested by

no test coverage detected