GH#4006: Harden shell injection defenses in tools.mjs

[marcusquinn]

Summary

• Harden createAidevopsTool: args.command was interpolated directly into a shell command string. Added isSafeCommand() allowlist validator that rejects shell metacharacters ($, backtick, ;, |, &, etc.) while permitting all valid aidevops subcommand characters.
• Fix createPreEditCheckTool: args.task used double-quote interpolation ("${args.task}") which allows $(cmd) and backtick expansion. Replaced with shellEscape() (single-quote wrapping).
• Harden runHookHelper: action parameter was passed unsanitized to execSync. Added VALID_HOOK_ACTIONS Set allowlist validation — only install, uninstall, status, test are accepted.

These are three additional shell injection vectors in the same file beyond the two flagged by Gemini in PR #3975 (which were already fixed via shellEscape() on memory tool args).

Closes #4006

Summary by CodeRabbit

• Bug Fixes
  • Strengthened validation of CLI commands to block unsafe input and prevent injection.
  • Added escaping for task arguments to ensure safer command execution.
  • Enforced a whitelist of allowed hook actions (install, uninstall, status, test) with clearer error messages for invalid actions.
  • Applied consistent safety checks across all tooling paths for more reliable behavior.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the tools.mjs file by addressing several shell injection vulnerabilities. It introduces robust input validation and proper shell escaping mechanisms across multiple functions, ensuring that user-supplied inputs cannot be maliciously interpreted as shell commands. This proactive hardening prevents potential remote code execution and improves the overall integrity of the system's command execution.

Highlights

• Harden createAidevopsTool: The args.command parameter, previously interpolated directly into a shell command, now undergoes validation using a new isSafeCommand() allowlist validator. This validator rejects shell metacharacters while permitting valid subcommand characters.
• Fix createPreEditCheckTool: The args.task parameter, which used double-quote interpolation ("${args.task}") allowing for command expansion, has been updated to use shellEscape() for single-quote wrapping, preventing injection.
• Harden runHookHelper: The action parameter, previously passed unsanitized to execSync, is now validated against a VALID_HOOK_ACTIONS Set. Only 'install', 'uninstall', 'status', and 'test' actions are accepted, preventing arbitrary command execution.

Changelog

• .agents/plugins/opencode-aidevops/tools.mjs
  • Introduced isSafeCommand function to validate CLI command strings against shell metacharacters.
  • Integrated isSafeCommand into createAidevopsTool to prevent direct interpolation of untrusted command arguments.
  • Replaced double-quote interpolation with shellEscape() in createPreEditCheckTool for the args.task parameter.
  • Defined VALID_HOOK_ACTIONS set and enforced its use in runHookHelper to restrict allowed actions.
  • Updated error messages in runHookHelper to reflect the validated action.

Activity

• This pull request addresses and closes issue quality-debt: .agents/plugins/opencode-aidevops/tools.mjs — PR #3975 review feedback (high) #4006, focusing on additional shell injection vectors.
• The changes build upon previous security fixes implemented in PR fix: resubmit 5 quality-debt fixes from closed batch PRs (batch 2) #3975, specifically targeting similar vulnerabilities in tools.mjs.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b0009cc1-8f5b-47bb-bda2-ce5d044c1a8e

📥 Commits

Reviewing files that changed from the base of the PR and between 9a84843 and 1638895.

📒 Files selected for processing (1)

• .agents/plugins/opencode-aidevops/tools.mjs

Walkthrough

This change hardens the opencode-aidevops tools by adding command validation and escaping to prevent shell injection, and by introducing a whitelist-backed hook action map used across hook execution and quality tooling paths.

Changes

Cohort / File(s)	Summary
Core plugin file .agents/plugins/opencode-aidevops/tools.mjs	Adds isSafeCommand() and shellEscape(); replaces direct command interpolation with validated/escaped construction; introduces HOOK_ACTION_MAP (null-prototype) and maps incoming hook actions to validated values; updates runHookHelper and quality-tooling hook paths to error on invalid actions and reference validated actions in errors.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• #1103: Modifies opencode-aidevops plugin command execution paths and pre-edit/task flag construction — closely related to the injection hardening here.
• #3975: Prior PR referenced in review feedback; contains the earlier code paths that triggered high-severity injection findings.
• #1349: Introduced/createTools and related helpers that this change hardens with additional validation/escaping.

Suggested labels

needs-maintainer-review

Poem

🛡️ Small checks, big shields at play,
Quotes and maps keep threats at bay,
Whitelisted actions, inputs wrapped tight,
DevOps sleeps safer through the night. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main security-focused change: hardening shell injection defenses in tools.mjs with specific techniques like allowlist validation and shell escaping.
Linked Issues check	✅ Passed	The PR fully addresses issue #4006 objectives by implementing three shell-injection hardening fixes: isSafeCommand() for args.command validation, shellEscape() for args.task, and HOOK_ACTION_MAP allowlist for hook actions.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing shell-injection vectors in tools.mjs; no unrelated modifications detected beyond the security hardening objectives outlined in issue #4006.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/issue-4006-tools-mjs-quality-debt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 393 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Mar 9 21:26:55 UTC 2026: Code review monitoring started
Mon Mar 9 21:26:56 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 393

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 393
• VULNERABILITIES: 0

Generated on: Mon Mar 9 21:26:58 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request effectively hardens against several potential shell injection vulnerabilities in tools.mjs. The introduction of isSafeCommand for allowlist validation in createAidevopsTool, the use of shellEscape in createPreEditCheckTool, and the action validation in runHookHelper are all solid improvements that significantly enhance security. The changes are well-implemented. I have one minor suggestion to improve documentation consistency for the new isSafeCommand function to ensure maintainability.

[marcusquinn]

Dispatching worker to address 1 unresolved review suggestion.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Branch: fix/issue-4006-tools-mjs-quality-debt
• Scope: Fix 1 unresolved bot suggestion in tools.mjs
• Attempt: 1 of 1

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 393 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Mar 9 22:18:04 UTC 2026: Code review monitoring started
Mon Mar 9 22:18:04 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 393

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 393
• VULNERABILITIES: 0

Generated on: Mon Mar 9 22:18:06 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

Dispatching worker to fix Codacy ACTION_REQUIRED and address Gemini JSDoc comment.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Branch: fix/issue-4006-tools-mjs-quality-debt
• Scope: Fix Codacy violations in tools.mjs, update isSafeCommand JSDoc
• Attempt: 1 of 1
• Direction: Check Codacy report for specific violations; sync JSDoc with regex implementation

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 393 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Mar 9 22:38:25 UTC 2026: Code review monitoring started
Mon Mar 9 22:38:25 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 393

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 393
• VULNERABILITIES: 0

Generated on: Mon Mar 9 22:38:28 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

Dispatching worker to address review suggestions.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Branch: fix/issue-4006-tools-mjs-quality-debt
• Scope: Update JSDoc comment for isSafeCommand to include # and @ characters
• Attempt: 1 of 1
• Direction: Minor doc fix — update comment to match regex implementation

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 392 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Mar 10 00:11:49 UTC 2026: Code review monitoring started
Tue Mar 10 00:11:49 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 392

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 392
• VULNERABILITIES: 0

Generated on: Tue Mar 10 00:11:52 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/plugins/opencode-aidevops/tools.mjs:
- Around line 195-213: The HOOK_ACTION_MAP lookup in runHookHelper can return
inherited prototype properties (e.g., toString) because HOOK_ACTION_MAP is a
plain object, allowing tainted action values to bypass validation; fix by making
HOOK_ACTION_MAP a strict own-property allowlist (e.g., create it with
Object.create(null) or validate with
Object.prototype.hasOwnProperty.call(HOOK_ACTION_MAP, action)) and ensure
runHookHelper uses that own-property check (use String(action) for lookup but
only accept values when the key is an own property of HOOK_ACTION_MAP) so only
the explicit keys ("install","uninstall","status","test") can produce a
validAction.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: caaf616a-7ca9-4027-a88a-209af4b69d4e

📥 Commits

Reviewing files that changed from the base of the PR and between 8e2baf6 and 68d743d.

📒 Files selected for processing (1)

• .agents/plugins/opencode-aidevops/tools.mjs

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 395 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Mar 10 00:57:08 UTC 2026: Code review monitoring started
Tue Mar 10 00:57:09 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 395

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 395
• VULNERABILITIES: 0

Generated on: Tue Mar 10 00:57:11 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

Dispatching worker to address unresolved review suggestions.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Branch: fix/issue-4006-tools-mjs-quality-debt
• Scope: Address 1 unresolved bot suggestion before merge
• Attempt: 1 of 1
• Direction: Apply valid suggestions, dismiss invalid ones with explanation

[marcusquinn]

Review Bot Suggestions — All Resolved

Reviewed all inline review comments from bots. Status:

Bot	Suggestion	Resolution
Gemini	JSDoc for isSafeCommand missing # and @ characters	Fixed in 7930be4 — JSDoc now matches regex implementation
CodeRabbit	HOOK_ACTION_MAP prototype pollution via inherited properties	Fixed in 9a84843 — uses Object.create(null) + Object.freeze + Object.hasOwn guard
Codacy	1 new issue (complexity increase to 9)	Expected — security hardening (isSafeCommand, Object.hasOwn guard, null-prototype map) necessarily increases cyclomatic complexity. The complexity is justified and proportional to the security benefit.
SonarCloud	Quality Gate	Passed — 0 new issues, 0 security hotspots
CodeFactor	Analysis	Passed
Qlty	Analysis	Passed
Socket Security	Dependency scan	Passed

Both review threads are resolved and outdated (code updated since comments). Removed needs-review-fixes label. PR is ready for merge.

[marcusquinn]

Dispatching fix worker for unresolved review suggestions.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Scope: Address unresolved inline review bot suggestions
• Attempt: 1 of 1

[marcusquinn]

Codacy Taint Analysis Fix (commit 4c950eb)

Issue: Codacy/Semgrep flagged execSync in runHookHelper (line 224) as command injection risk — ACTION_REQUIRED status. The taint analyzer traced data flow from the action parameter through Object.hasOwn + HOOK_ACTION_MAP lookup to execSync. Static taint analyzers cannot prove object-property lookups return values independent of the input, even with Object.create(null).

Fix: Replaced the object-literal map with a sanitizeHookAction() function using a switch statement that returns string literals. Semgrep recognizes switch-case returns as a sanitization boundary because each return value is provably constant — no data flows from input to output. Same runtime behaviour, satisfies the taint tracker.

Previous approaches that failed Codacy:

1. Set.has() + Set.find() — Codacy traces .find() return as tainted
2. Object.create(null) + Object.hasOwn() + property lookup — Codacy traces property lookup return as tainted
3. switch with literal returns — this works because each case returns a constant, not a derived value

All review bot suggestions are resolved. Codacy should now pass.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 395 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Mar 10 01:46:36 UTC 2026: Code review monitoring started
Tue Mar 10 01:46:37 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 395

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 395
• VULNERABILITIES: 0

Generated on: Tue Mar 10 01:46:39 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 395 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Mar 10 01:50:39 UTC 2026: Code review monitoring started
Tue Mar 10 01:50:40 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 395

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 395
• VULNERABILITIES: 0

Generated on: Tue Mar 10 01:50:42 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

Worker for PR #4019 review-fix task killed after ~10h with 0 commits (struggle_ratio: 45130).

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Reason: Thrashing — 45130 messages, 0 commits after 10+ hours. No progress.
• Diagnosis: Worker may have been stuck in a loop reading review comments without being able to apply changes.
• Next action: Re-dispatch with clearer scope — read inline review comments, apply valid suggestions, dismiss invalid ones with explanation.

[marcusquinn]

Review Suggestions — Final Audit

All inline review bot suggestions have been verified as resolved in the merged code:

Bot	Suggestion	Resolution
Gemini	JSDoc for isSafeCommand missing # and @ characters	✅ Fixed in 7930be4 — JSDoc now documents all regex-allowed characters
CodeRabbit	HOOK_ACTION_MAP prototype pollution via inherited properties	✅ Exceeded suggestion — replaced with sanitizeHookAction() switch statement (lines 200-208) + execFileSync argument array (line 229). Stronger than the suggested Object.create(null) approach: switch returns provably constant values satisfying Codacy/Semgrep taint analysis, and execFileSync eliminates shell interpretation entirely

Removed needs-review-fixes label — no outstanding suggestions remain.