Merge pull request #268 from AikidoSec/fix-different-separators-in-command-injection

bitterpanda63 · web-flow · commit 752e55006292 · 2026-02-06T13:19:34.000+01:00
Adds more shell separators for injection check
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/ShellSyntaxChecker.java
@@ -10,7 +10,7 @@
 public final class ShellSyntaxChecker {
     private ShellSyntaxChecker() {}
     private static final List<String> SEPARATORS = Arrays.asList(
-            " ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">"
+            " ", "\t", "\n", ";", "&", "|", "(", ")", "<", ">", "\r", "\f"
     );
 
     public static boolean containsShellSyntax(String command, String userInput) {
diff --git a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java
@@ -434,4 +434,18 @@ void testItFlagsCommaInLoop() {
                 "for (( i=0, j=10; i<j; i++, j-- ))"
         );
     }
+
+    @Test
+    void testCarriageReturnAsSeparator() {
+        // \r (carriage return) as separator before dangerous command
+        assertIsShellInjection("ls\rrm", "rm");
+        assertIsShellInjection("echo test\rrm -rf /", "rm");
+    }
+
+    @Test
+    void testFormFeedAsSeparator() {
+        // \f (form feed) as separator before dangerous command
+        assertIsShellInjection("ls\frm", "rm");
+        assertIsShellInjection("echo test\frm -rf /", "rm");
+    }
 }
