Conversation
- _substitute_utcp_args now shell-quotes substituted tool_args via shlex.quote on Unix and a PowerShell single-quoted literal on Windows, blocking metacharacter injection (`;`, `|`, `&`, backticks, `$()`, newlines). Each placeholder now expands to exactly one shell token; tools that relied on a single placeholder splitting into multiple flags must use one placeholder per flag. Backs GHSA-33p6-5jxp-p3x4. - _prepare_environment no longer hands os.environ.copy() to the subprocess. Inheritance is now controlled by a new CliCallTemplate.inherit_env_vars field: - None (default): a built-in OS-specific safe allowlist (PATH, HOME / PATHEXT, SYSTEMROOT, USERPROFILE, etc.) is inherited. - []: strict mode; nothing from the host environment is inherited. - [names...]: exactly those host vars are inherited (replaces, not merges with, the default allowlist). env_vars is always layered on top and overrides any inherited value. Backs GHSA-5v57-8rxj-3p2r. - REQUIRED docstrings + Field descriptions on CliCallTemplate and CommandStep updated so the new behavior surfaces in generated OpenAPI / JSON manuals. - New tests/test_security.py covers shell quoting, env allowlist, inherit_env_vars semantics (None / [] / explicit list), unset-name skipping, env_vars override precedence, Pydantic round-trip, and a Unix end-to-end injection canary. Bumps utcp-cli 1.1.1 -> 1.1.2. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CI runs pytest across multiple plugin test dirs in one invocation. The HTTP plugin already had a `test_security.py`, so the new CLI one collided on import (`test_security` module name) and pytest aborted collection with `import file mismatch`. Rename to a plugin-prefixed basename so both can coexist without needing `__init__.py` files in the tests dirs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
Contributor
|
@h3xxit I have started the AI code review. It will take a few minutes to complete. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 5 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="plugins/communication_protocols/cli/src/utcp_cli/cli_communication_protocol.py">
<violation number="1" location="plugins/communication_protocols/cli/src/utcp_cli/cli_communication_protocol.py:529">
P2: Use braced PowerShell env-variable syntax for substituted placeholders to avoid variable-name boundary parsing bugs when placeholders are adjacent to suffix characters.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Member
Author
Contributor
|
@h3xxit I have started the AI code review. It will take a few minutes to complete. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
_substitute_utcp_args now shell-quotes substituted tool_args via shlex.quote on Unix and a PowerShell single-quoted literal on Windows, blocking metacharacter injection (
;,|,&, backticks,$(), newlines). Each placeholder now expands to exactly one shell token; tools that relied on a single placeholder splitting into multiple flags must use one placeholder per flag. Backs GHSA-33p6-5jxp-p3x4._prepare_environment no longer hands os.environ.copy() to the subprocess. Inheritance is now controlled by a new CliCallTemplate.inherit_env_vars field:
REQUIRED docstrings + Field descriptions on CliCallTemplate and CommandStep updated so the new behavior surfaces in generated OpenAPI / JSON manuals.
New tests/test_security.py covers shell quoting, env allowlist, inherit_env_vars semantics (None / [] / explicit list), unset-name skipping, env_vars override precedence, Pydantic round-trip, and a Unix end-to-end injection canary.
Bumps utcp-cli 1.1.1 -> 1.1.2.
Summary by cubic
Blocks command injection by switching
UTCP_ARG_*to quote-aware variable references backed by per-call env vars, and prevents host env leaks via an explicit allowlist; bumpsutcp-clito 1.1.4. Increases discovery timeout to 60s to handle slow PowerShell startup.Bug Fixes
"$VAR"/${VAR}/'"$VAR"'; PowerShell uses braced${env:VAR}and errors if inside single quotes. Values travel via nonce-scoped__UTCP_ARG_*env vars, not inlined. Closes GHSA-33p6-5jxp-p3x4 and the prior double-quote bypass.(script, arg_env);call_tool/register_manualmergearg_envinto the subprocess env so references resolve.inherit_env_vars: Noneuses a safe OS allowlist;[]inherits nothing;["NAMES"]inherits exactly those (not merged).env_varsalways overrides. Closes GHSA-5v57-8rxj-3p2r. Windows allowlist includesPSMODULEPATH.register_manualtimeout set to 60s.Migration
UTCP_ARG_..._UTCP_ENDnow expands to a single argument via env expansion. If you packed multiple flags into one placeholder, split them.inherit_env_vars(includePATHif needed) or use[]for strict mode.Written for commit 1deffbe. Summary will update on new commits.