🛡️ Sentinel: [security improvement]

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-05-15 - Command Injection Vulnerability via String Interpolation
+**Vulnerability:** The `toolExists` function in `CacheCategory.swift` executes a shell command using string interpolation: `shell("/usr/bin/which \(tool)")`. If the `tool` string contains malicious shell characters (like `;`, `&`, or backticks), it allows arbitrary command execution because the wrapper function (`shell(_:)`) passes the entire string to `/bin/bash -c`.
+**Learning:** Using string interpolation to inject dynamic variables into shell wrapper commands (e.g., `shell("cmd \(variable)")`) introduces severe command injection vulnerabilities. The shell interprets the interpolated content before the actual binary is executed.
+**Prevention:** Pass dynamic inputs strictly as elements in the `Process().arguments` array for direct binary execution. However, in this specific case where `which` is needed, we can eliminate the shell entirely and rewrite `toolExists` to use native Swift logic or execute `/usr/bin/which` directly via `Process` with `[tool]` as the argument.

Sources/Cacheout/Models/CacheCategory.swift

@@ -186,8 +186,21 @@ struct CacheCategory: Identifiable, Hashable {
     }
 
     private func toolExists(_ tool: String) -> Bool {
-        let result = shell("/usr/bin/which \(tool)")
-        return result != nil && !result!.isEmpty
+        let process = Process()
+        let pipe = Pipe()
+
+        process.executableURL = URL(fileURLWithPath: "/usr/bin/which")
+        process.arguments = [tool]
+        process.standardOutput = pipe
+        process.standardError = FileHandle.nullDevice
+
+        do {
+            try process.run()
+            process.waitUntilExit()
+            return process.terminationStatus == 0
+        } catch {
+            return false
+        }
     }
 
     private func runProbe(_ command: String) -> String? {