From 6da80a9230122c7ccd81fff0b299f1ece2544111 Mon Sep 17 00:00:00 2001
From: badMade <106821302+badMade@users.noreply.github.com>
Date: Thu, 30 Apr 2026 01:59:37 +0000
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=20Fix=20command=20injection=20?=
 =?UTF-8?q?vulnerability=20in=20command=5Fexists?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 rust/crates/tools/src/lib.rs | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/rust/crates/tools/src/lib.rs b/rust/crates/tools/src/lib.rs
index 26756b6dd4..e32848ca9e 100644
--- a/rust/crates/tools/src/lib.rs
+++ b/rust/crates/tools/src/lib.rs
@@ -5151,7 +5151,9 @@ fn detect_powershell_shell() -> std::io::Result<&'static str> {
 fn command_exists(command: &str) -> bool {
     std::process::Command::new("sh")
         .arg("-c")
-        .arg(format!("command -v {command} >/dev/null 2>&1"))
+        .arg("command -v \"$1\" >/dev/null 2>&1")
+        .arg("--")
+        .arg(command)
         .status()
         .map(|status| status.success())
         .unwrap_or(false)
@@ -5351,6 +5353,22 @@ pub mod pdf_extract;
 
 #[cfg(test)]
 mod tests {
+
+    #[test]
+    fn test_command_exists_valid() {
+        assert!(super::command_exists("ls") || super::command_exists("dir"));
+    }
+
+    #[test]
+    fn test_command_exists_invalid() {
+        assert!(!super::command_exists("nonexistentcommandthatshouldneverexist123"));
+    }
+
+    #[test]
+    fn test_command_exists_injection() {
+        assert!(!super::command_exists("ls; echo injected"));
+        assert!(!super::command_exists("ls && echo injected"));
+    }
     use std::collections::BTreeMap;
     use std::collections::BTreeSet;
     use std::fs;

From 42e4e863c750194d2ba61920d7cb4c1e3d21b6f0 Mon Sep 17 00:00:00 2001
From: badMade <106821302+badMade@users.noreply.github.com>
Date: Thu, 30 Apr 2026 02:06:29 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=92=20Fix=20command=20injection=20?=
 =?UTF-8?q?vulnerability=20in=20command=5Fexists?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 rust/crates/tools/src/lib.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rust/crates/tools/src/lib.rs b/rust/crates/tools/src/lib.rs
index e32848ca9e..4ff2a654bb 100644
--- a/rust/crates/tools/src/lib.rs
+++ b/rust/crates/tools/src/lib.rs
@@ -5361,7 +5361,9 @@ mod tests {
 
     #[test]
     fn test_command_exists_invalid() {
-        assert!(!super::command_exists("nonexistentcommandthatshouldneverexist123"));
+        assert!(!super::command_exists(
+            "nonexistentcommandthatshouldneverexist123"
+        ));
     }
 
     #[test]