From 732e679359104626d3067ea0cac2a315a07bd2a3 Mon Sep 17 00:00:00 2001
From: Rootless-Ghost/RG-Nebula
 <139057350+Rootless-Ghost@users.noreply.github.com>
Date: Sat, 25 Apr 2026 16:30:48 -0400
Subject: [PATCH] Potential fix for code scanning alert no. 2: Uncontrolled
 command line

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 core/executor.py | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/core/executor.py b/core/executor.py
index a6143a8..cf495e6 100644
--- a/core/executor.py
+++ b/core/executor.py
@@ -294,14 +294,26 @@ def _build_command(command: str, executor_type: str) -> list[str] | None:
     if executor_type == "cmd":
         if system == "windows":
             return ["cmd.exe", "/c", command]
-        # Fall back to sh on non-Windows
-        return ["sh", "-c", command]
+        # Fall back to direct execution on non-Windows (avoid shell -c)
+        try:
+            argv = shlex.split(command, posix=True)
+        except ValueError:
+            return None
+        return argv or None
 
     if executor_type == "bash":
-        return ["bash", "-c", command]
+        try:
+            argv = shlex.split(command, posix=True)
+        except ValueError:
+            return None
+        return argv or None
 
     if executor_type == "sh":
-        return ["sh", "-c", command]
+        try:
+            argv = shlex.split(command, posix=True)
+        except ValueError:
+            return None
+        return argv or None
 
     return None