Review Finding
PR: #75 (feat: MCP server source control + 5 new session tools)
File: src/atlas_session/contract/verifier.py
Line: 66
Severity: must-fix
Description
_run_shell passes criterion.command directly to subprocess.run(..., shell=True). The command field originates from the MCP caller via contract_create's criteria: list[dict] argument. Anyone who can call that tool can supply ; rm -rf ~ or similar. Use shell=False with a parsed argument list, or validate commands against an allowlist of safe patterns before execution.
Auto-created by Claude Code Review.
Review Finding
PR: #75 (feat: MCP server source control + 5 new session tools)
File:
src/atlas_session/contract/verifier.pyLine: 66
Severity: must-fix
Description
_run_shellpasses criterion.command directly tosubprocess.run(..., shell=True). Thecommandfield originates from the MCP caller viacontract_create'scriteria: list[dict]argument. Anyone who can call that tool can supply; rm -rf ~or similar. Useshell=Falsewith a parsed argument list, or validate commands against an allowlist of safe patterns before execution.Auto-created by Claude Code Review.