Skip to content

fix: avoid shell=True where possible to prevent RCE via shell injection#5378

Open
Sarthak816 wants to merge 4 commits into
Aider-AI:mainfrom
Sarthak816:fix/5375-rce-shell-true
Open

fix: avoid shell=True where possible to prevent RCE via shell injection#5378
Sarthak816 wants to merge 4 commits into
Aider-AI:mainfrom
Sarthak816:fix/5375-rce-shell-true

Conversation

@Sarthak816

Copy link
Copy Markdown

Fixes #5375 - Remote Code Execution via unescaped cmd parameter with shell=True

This PR addresses the RCE concern by avoiding shell=True where possible, falling back only for commands that genuinely need shell interpretation.

Changes:

1. aider/run_cmd.py

  • Added _has_shell_operators() helper that detects shell metacharacters (|, &, ;, $, `, (), &&, ||, >>, <<)
    outside of quoted strings using regex
  • Modified run_cmd_subprocess() to:
    • Check if the command contains shell operators
    • If no shell operators: use shlex.split() to build a list and execute with shell=False
    • If shell operators or shlex.split() fails: fall back to shell=True

2. aider/commands.py

  • Modified cmd_git() to use shlex.split() + list-based subprocess.run() with shell=False
  • Git commands don't need shell features (pipes, redirects, etc.), so shell=True was unnecessary

Security impact:

  • All simple commands (the majority of lint, test, and run commands) now execute without the shell
  • Complex commands with pipes/redirects/chaining continue to work via shell fallback
  • The /git command no longer passes through the shell at all
  • Backward compatible: all existing user configurations continue to work

Fixes Aider-AI#5307 - on OpenBSD and other platforms without pre-built wheels, tree-sitter-c-sharp builds from source. Versions 0.23.1-0.23.4 do not bundle the tree_sitter/parser.h header, causing the C compiler to fail with 'fatal error: tree_sitter/parser.h not found'.

Updated tree-sitter-c-sharp to 0.23.5 which includes the necessary headers for source builds.

Changes:
- requirements.txt: 0.23.1 -> 0.23.5
- requirements/common-constraints.txt: 0.23.1 -> 0.23.5
- requirements/tree-sitter.in: added tree-sitter-c-sharp>=0.23.5 constraint with explanatory comment
Fixes Aider-AI#5358 - adds type annotations to all public functions across 4 core modules:

- aider/main.py: ~20 functions typed (entry points, argument parsing, git setup)
- aider/commands.py: ~45 methods typed (all user-facing / commands + helpers)
- aider/io.py: ~25 methods typed (InputOutput class + helpers)
- aider/models.py: ~40 methods typed (ModelInfoManager, Model class, module-level functions)

Key implementation decisions:
- Added from __future__ import annotations to all files for forward reference support
- Used Optional, Union, Any, Callable, TextIO from typing as appropriate
- NoRuntime for functions that always raise exceptions (Sys.exit, SwitchCoder)
- Used None return type for functions that sometimes return and sometimes raise
Fixes Aider-AI#5376 - Aider was silently bypassing pre-commit hooks by applying --no-verify to all git commits. This is a security risk for projects relying on pre-commit hooks for SAST scanning, secret detection, and code formatting.

Changed the default of --git-commit-verify from False to True in aider/args.py, so pre-commit hooks are now honored by default. Users who need to bypass hooks can explicitly opt in with --no-git-commit-verify.
Fixes Aider-AI#5375 - Remote Code Execution via unescaped cmd parameter with shell=True

Changes:

1. aider/run_cmd.py:
   - Added _has_shell_operators() helper that detects shell metacharacters outside of quoted strings
   - Modified run_cmd_subprocess to prefer list-based subprocess execution (shell=False) for commands without shell operators
   - Falls back to shell=True only for commands containing pipes, redirects, chaining, or other shell features

2. aider/commands.py:
   - Modified cmd_git() to use shlex.split() + list-based subprocess.run with shell=False
   - Git commands don't need shell features, so shell=True was unnecessary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] Remote Code Execution (RCE) via Unescaped cmd Parameter with shell=True in linter.py

1 participant