Review Finding
PR: #11 (feat: comprehensive test suite + hostile testing + /sync skill)
File: src/atlas_session/contract/verifier.py
Line: 55
Severity: must-fix
Description
The blocklist [;&|\$<>]misses(), {}, !, and \n. Parentheses are used in Python's -c` flag payloads:
python3 -c "import os; os.system('evil')"
python3 is on the allowlist and -c is not blocked by argument validation. Combined, this enables arbitrary code execution through a contract criterion.
Fix: Add (){}!\n\x00 to the metacharacter regex; additionally block dangerous flags like -c and -m for interpreter binaries.
Auto-created by Claude Code Review.
Review Finding
PR: #11 (feat: comprehensive test suite + hostile testing + /sync skill)
File:
src/atlas_session/contract/verifier.pyLine: 55
Severity: must-fix
Description
The blocklist
[;&|\$<>]misses(),{},!, and\n. Parentheses are used in Python's-c` flag payloads:python3is on the allowlist and-cis not blocked by argument validation. Combined, this enables arbitrary code execution through a contract criterion.Fix: Add
(){}!\n\x00to the metacharacter regex; additionally block dangerous flags like-cand-mfor interpreter binaries.Auto-created by Claude Code Review.