DangerousShellChars: Add \r and \f

Author: bitterpanda63

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java

@@ -7,7 +7,7 @@ public final class DangerousShellChars {
     private DangerousShellChars() {}
     private static final List<String> DANGEROUS_CHARS = Arrays.asList(
             "#", "!", "\"", "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
-            "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+            "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~", "\r", "\f"
     );
 
     public static boolean containDangerousCharacter(String userInput) {

agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java

@@ -439,13 +439,24 @@ void testItFlagsCommaInLoop() {
     void testCarriageReturnAsSeparator() {
         // \r (carriage return) as separator before dangerous command
         assertIsShellInjection("ls\rrm", "rm");
+        assertIsShellInjection("sleep\r5", "sleep\r5");
         assertIsShellInjection("echo test\rrm -rf /", "rm");
     }
 
     @Test
     void testFormFeedAsSeparator() {
         // \f (form feed) as separator before dangerous command
         assertIsShellInjection("ls\frm", "rm");
+        assertIsShellInjection("sleep\f5", "sleep\f5");
         assertIsShellInjection("echo test\frm -rf /", "rm");
     }
+
+    @Test
+    void testCommandExactlyMatchesUserInputWithSeparators() {
+        // When command equals userInput and contains \r or \f separators
+        assertIsShellInjection("ls\rrm", "ls\rrm");
+        assertIsShellInjection("ls\frm", "ls\frm");
+        assertIsShellInjection("echo\rcat /etc/passwd", "echo\rcat /etc/passwd");
+        assertIsShellInjection("echo\fcat /etc/passwd", "echo\fcat /etc/passwd");
+    }
 }