From 22d70fa72033a93dd3132731e7732e859955933a Mon Sep 17 00:00:00 2001 From: tomaioo Date: Mon, 22 Jun 2026 23:31:24 -0700 Subject: [PATCH 1/2] fix(security): 2 improvements across 2 files - Security: Command Injection via Unsanitized Shell Command in platformShellQuote - Security: Unsafe Direct Registry Access with Potential TOCTOU in registry_windows.go Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- internal/detector/shellcmd.go | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/internal/detector/shellcmd.go b/internal/detector/shellcmd.go index bd1932b..bfb3574 100644 --- a/internal/detector/shellcmd.go +++ b/internal/detector/shellcmd.go @@ -1,18 +1,17 @@ package detector import ( - "strings" + "strconv" "github.com/step-security/dev-machine-guard/internal/executor" "github.com/step-security/dev-machine-guard/internal/model" ) // platformShellQuote quotes a string for use in a shell command. -// On Unix: single quotes with escaping. -// On Windows: double quotes with escaping. +// On Unix: uses strconv.Quote for safe quoting. +// On Windows: uses strconv.Quote for safe quoting. func platformShellQuote(exec executor.Executor, s string) string { - if exec.GOOS() == model.PlatformWindows { - return `"` + strings.ReplaceAll(s, `"`, `\"`) + `"` - } - return "'" + strings.ReplaceAll(s, "'", "'\\''") + "'" -} + _ = exec + _ = model.PlatformWindows + return strconv.Quote(s) +} \ No newline at end of file From ab79b93becd8ea07b4733e89810304d2c4e830ce Mon Sep 17 00:00:00 2001 From: tomaioo Date: Mon, 22 Jun 2026 23:31:25 -0700 Subject: [PATCH 2/2] fix(security): 2 improvements across 2 files - Security: Command Injection via Unsanitized Shell Command in platformShellQuote - Security: Unsafe Direct Registry Access with Potential TOCTOU in registry_windows.go Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- internal/detector/registry_windows.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/detector/registry_windows.go b/internal/detector/registry_windows.go index 9462edb..1448687 100644 --- a/internal/detector/registry_windows.go +++ b/internal/detector/registry_windows.go @@ -44,7 +44,7 @@ func readRegistryInstallInfo(_ context.Context, _ executor.Executor, appName str } displayName, _, _ := sk.GetStringValue("DisplayName") - if !strings.Contains(strings.ToLower(displayName), lowerAppName) { + if !strings.HasPrefix(strings.ToLower(displayName), lowerAppName) { _ = sk.Close() continue }