Review Finding
PR: #76 (feat: rewrite /start SKILL.md — MCP-first, 266 lines)
File: src/atlas_session/contract/verifier.py
Line: 66
Severity: must-fix
Description
subprocess.run is called with shell=True and a raw command string that originates from user-supplied criterion data via the contract_create MCP tool. Any caller who can invoke contract_create (or write to contract.json) can execute arbitrary shell commands in project_dir. Example: a criterion with command='rm -rf /' will run as-is. Fix: use shell=False with a pre-validated whitelist of allowed command patterns, or split commands into list form and reject inputs with shell metacharacters. At minimum, never pass untrusted data to shell=True.
Auto-created by Claude Code Review.
Review Finding
PR: #76 (feat: rewrite /start SKILL.md — MCP-first, 266 lines)
File:
src/atlas_session/contract/verifier.pyLine: 66
Severity: must-fix
Description
subprocess.run is called with shell=True and a raw command string that originates from user-supplied criterion data via the contract_create MCP tool. Any caller who can invoke contract_create (or write to contract.json) can execute arbitrary shell commands in project_dir. Example: a criterion with command='rm -rf /' will run as-is. Fix: use shell=False with a pre-validated whitelist of allowed command patterns, or split commands into list form and reject inputs with shell metacharacters. At minimum, never pass untrusted data to shell=True.
Auto-created by Claude Code Review.