@@ -191,6 +191,34 @@ def with_data_source(options, initialize_to_valid = false)
191191 end
192192 end
193193
194+ it "does not execute commands via malicious filenames" do
195+ # This tests that filenames containing shell metacharacters are treated as literal paths
196+ # and do not result in command execution. The file reading should use safe methods
197+ # that don't pass paths through a shell.
198+ marker_file = File . join ( @tmp_dir , "command_injection_marker" )
199+
200+ # Various command injection attempts - if any command executed, it would create the marker file
201+ malicious_paths = [
202+ "|touch #{ marker_file } ,
203+ ";touch #{ marker_file } ,
204+ "$(touch #{ marker_file } ,
205+ "`touch #{ marker_file } ,
206+ "& touch #{ marker_file } ,
207+ "\n touch #{ marker_file } \n " ,
208+ ]
209+
210+ malicious_paths . each do |malicious_path |
211+ with_data_source ( { paths : [ malicious_path ] } ) do |ds |
212+ event = ds . start
213+ expect ( event . set? ) . to eq ( true )
214+ # Should fail to initialize because the file doesn't exist (treated as literal path)
215+ expect ( ds . initialized? ) . to eq ( false )
216+ # Most importantly: no command should have been executed
217+ expect ( File . exist? ( marker_file ) ) . to eq ( false ) , "Command injection detected with path: #{ malicious_path }
218+ end
219+ end
220+ end
221+
194222 it "sets start event and initialized on successful load" do
195223 file = make_temp_file ( all_properties_json )
196224 with_data_source ( { paths : [ file . path ] } ) do |ds |
0 commit comments