🛡️ Sentinel: [CRITICAL] Fix command and argument injection in run_validation

[mudcube]

🚨 Severity: CRITICAL

💡 Vulnerability: The run_validation functions in mill-services were vulnerable to command and argument injection. post_apply.rs executed commands using sh -c and cmd.exe /C without any validation, allowing arbitrary shell command injection (e.g., cargo check ; rm -rf /). utils.rs implemented a security policy but used a permissive starts_with check on the raw string, allowing argument injection (e.g., cargo checkmate bypassing the cargo check allowed prefix).

🎯 Impact: An attacker or malicious configuration could execute arbitrary system commands on the server or developer's machine with the privileges of the running application, leading to full system compromise, data exfiltration, or denial of service.

🔧 Fix:

• Removed sh -c and cmd.exe /C execution in post_apply.rs.
• Introduced shlex to safely parse raw command strings into program and arguments.
• Replaced the permissive starts_with check with strict, element-by-element matching of the parsed command against the allowed safe prefixes in both utils.rs and post_apply.rs.
• Commands are now executed safely using Command::new(program).args(args).

✅ Verification: Verified by running the test suite (cargo test -p mill-services) which confirms that valid commands (like cargo check and cargo test --help) are allowed and executed correctly, while invalid or potentially malicious commands (like nonexistent_command_12345 or sleep 10) are strictly blocked by the security policy.

---

PR created automatically by Jules for task 2452698341072403271 started by @mudcube

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[cloudflare-workers-and-pages]

Deploying typemill with    Cloudflare Pages

Latest commit:	e5faf10
Status:	✅  Deploy successful!
Preview URL:	https://ce4e6d08.typemill.pages.dev
Branch Preview URL:	https://sentinel-fix-command-injecti-5808.typemill.pages.dev

View logs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e5faf10976

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject unsafe suffix arguments

When the validation command comes from untrusted or user-editable config, matching only the first tokens still permits dangerous tool-specific arguments after an allowed prefix. For example, cargo check --manifest-path /tmp/evil/Cargo.toml passes this check (I checked cargo check --help, which documents --manifest-path <PATH>), and make test -f /tmp/Makefile/make test --eval=... also pass (GNU make help documents -f and --eval); those tools can then execute attacker-controlled build scripts or recipes even though the command is considered safe. The allowlist needs to constrain or reject unsafe extra arguments, not only verify the prefix.

Useful? React with 👍 / 👎.