fix(controller): validate ADB shell commands to close arbitrary-shell (S4)#28
Merged
Merged
Conversation
… (S4)
IIABAdbManager.executeCommand ran openStream("shell:" + command) — an
on-device shell over ADB — with no validation. The current callers pass fixed
commands, but the method accepts any string, so a value containing shell
metacharacters (; | & $ ( ) < >, backticks, quotes, newlines) could chain or
substitute extra commands run with ADB privileges (tech-debt S4).
- domain: new pure AdbShellCommand.isSafe(command) — rejects shell
control/substitution/redirection/quote characters and control chars so only a
single self-contained command can run. Pure JVM, unit-tested
(AdbShellCommandTest).
- IIABAdbManager.executeCommand fails closed (logs + does not open the stream)
on an unsafe command. The two legitimate settings/device_config calls are
unaffected.
- Docs: CLAUDE.md design map + TECH_DEBT_PLAN progress log (S4 done; only F15
remains in Phase 1).
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 1 (security hardening).
IIABAdbManager.executeCommandranopenStream("shell:" + command)— an on-device shell over ADB — with no validation. Today's callers pass fixed commands, but the method accepts any string, so a value with shell metacharacters (; | & $ ( ) < >, backticks, quotes, newlines) could chain or substitute extra commands run with ADB privileges. Tech-debt item S4.Changes
adb/domain/AdbShellCommand(new, pure JVM):isSafe(command)rejects shell control / substitution / redirection / quote characters and control chars, so only a single self-contained command can run. Unit-tested (AdbShellCommandTest).IIABAdbManager.executeCommand: validates and fails closed (logs + does not open theshell:stream) on an unsafe command. The two legitimatesettings put global …/device_config put …calls are unaffected.Design note (per discussion)
We chose metacharacter rejection over an exact command allowlist: ADB commands legitimately grow with new features, so an allowlist would be brittle, whereas rejecting
; | & $ \( ) < > ' " \+ CR/LF/control neutralizes command-chaining/substitution while allowing any normal single command. The othershell:calls in the class (top,settings get,dumpsys`) are fixed literals and were not the vector.Testing
AdbShellCommandTest(pure JVM, CItestDebugUnitTestgate): accepts the two real app commands; rejects chaining, substitution, redirection, quotes/escape, newlines, empty/null. Logic also verified out of band (16 cases).With S4 done, the only remaining Phase 1 item is F15 (cleartext OTA APK).