From 76877ae65a0d439279fe466819acee116fd19fb7 Mon Sep 17 00:00:00 2001
From: Rootless-Ghost/RG-Nebula
 <139057350+Rootless-Ghost@users.noreply.github.com>
Date: Mon, 13 Apr 2026 17:11:14 -0400
Subject: [PATCH] Potential fix for code scanning alert no. 2: Uncontrolled
 command line

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 core/engine.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/core/engine.py b/core/engine.py
index 5dfad9b..a15c9ee 100644
--- a/core/engine.py
+++ b/core/engine.py
@@ -155,6 +155,27 @@ def run_test(
             cleanup_cmd_raw, input_args, test.get("input_arguments", {}), test["executor_type"]
         ) if cleanup_cmd_raw else None
 
+        # Integrity check: only allow commands derived from the selected embedded
+        # atomic template and its declared input arguments.
+        expected_command = substitute_variables_safe(
+            test["command"], input_args, test.get("input_arguments", {}), test["executor_type"]
+        )
+        if command != expected_command:
+            return {
+                "success": False,
+                "error": "Command integrity check failed for selected atomic test.",
+            }
+
+        if cleanup_cmd_raw:
+            expected_cleanup = substitute_variables_safe(
+                cleanup_cmd_raw, input_args, test.get("input_arguments", {}), test["executor_type"]
+            )
+            if cleanup_command != expected_cleanup:
+                return {
+                    "success": False,
+                    "error": "Cleanup command integrity check failed for selected atomic test.",
+                }
+
         executed_at = datetime.utcnow().isoformat() + "Z"
 
         # Execute