From bdf9f165f85cb0c6209ba51d127309cac9d33c9e Mon Sep 17 00:00:00 2001
From: Rootless-Ghost/RG-Nebula
 <139057350+Rootless-Ghost@users.noreply.github.com>
Date: Sat, 25 Apr 2026 16:25:12 -0400
Subject: [PATCH] Potential fix for code scanning alert no. 2: Uncontrolled
 command line

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 app.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index fb274bb..bf7b183 100644
--- a/app.py
+++ b/app.py
@@ -236,7 +236,7 @@ def execute_route():
     if not _check_api_key():
         return jsonify({"error": "unauthorized"}), 401
 
-    from core.executor import execute
+    from core.executor import execute, _is_allowed_atomic_command
     from core.remote_executor import execute_remote_winrm
 
     body = request.get_json(silent=True) or {}
@@ -253,6 +253,12 @@ def execute_route():
     if not command:
         return jsonify({"success": False, "error": "command is required"}), 400
 
+    if not _is_allowed_atomic_command(command, executor_type):
+        return jsonify({
+            "success": False,
+            "error": "command is not in the embedded atomic allowlist for this executor",
+        }), 400
+
     if transport == "winrm":
         if not target_host:
             return jsonify({