(command: string)
| 252 | * ``` |
| 253 | */ |
| 254 | export function sanitizeCommand(command: string): string { |
| 255 | let sanitized = command.replace(/\0/g, '') |
| 256 | |
| 257 | sanitized = sanitized.replace(/[\x0B\x0C]/g, '') |
| 258 | |
| 259 | sanitized = sanitized.trim() |
| 260 | |
| 261 | const dangerousPatterns = [ |
| 262 | { pattern: /\$\(.*\)/, name: 'command substitution $()' }, |
| 263 | { pattern: /`.*`/, name: 'backtick command substitution' }, |
| 264 | { pattern: /;\s*rm\s+-rf/i, name: 'destructive rm -rf command' }, |
| 265 | { pattern: /;\s*dd\s+/i, name: 'dd command (disk operations)' }, |
| 266 | { pattern: /mkfs/i, name: 'filesystem formatting command' }, |
| 267 | { pattern: />\s*\/dev\/sd[a-z]/i, name: 'direct disk write' }, |
| 268 | ] |
| 269 | |
| 270 | for (const { pattern, name } of dangerousPatterns) { |
| 271 | if (pattern.test(sanitized)) { |
| 272 | logger.warn(`Command contains ${name}`, { |
| 273 | command: sanitized.substring(0, 100) + (sanitized.length > 100 ? '...' : ''), |
| 274 | }) |
| 275 | } |
| 276 | } |
| 277 | |
| 278 | return sanitized |
| 279 | } |
| 280 | |
| 281 | /** |
| 282 | * Sanitize and validate file path to prevent path traversal attacks |
no test coverage detected