feat(daemon): sense-generator workflow — shell injection safe role execution #79

New Issue

Closed

opened 2026-04-24 08:27:47 +00:00 by xiaoju · 1 comment

xiaoju commented 2026-04-24 08:27:47 +00:00

Owner

Copy Link

Copy Source

Background

Workflow roles that invoke external CLI tools (e.g. cursor-agent) via role.execute() need to pass user-authored prompt content as CLI arguments. Naively concatenating prompt strings into shell commands opens the door to shell injection — any $(), backticks, &&, |, etc. in the prompt would be interpreted by the shell.

Problem

1. cursor-agent has no --prompt-file or stdin prompt input — the only way to pass a prompt is via CLI args.
2. If execute() uses child_process.exec() or spawn(..., { shell: true }), prompt content is shell-interpreted.
3. Long prompts with special characters (quotes, backticks, $, newlines) break or inject.

Solution

1. Safe process spawning utility

Create a shared utility in packages/core (or packages/daemon) that wraps child_process.spawn with shell: false — prompt goes as a separate argv element, never shell-interpolated:

import { spawn } from "node:child_process";

type SpawnResult = { stdout: string; stderr: string; exitCode: number };

function spawnSafe(cmd: string, args: string[], opts?: { cwd?: string; timeout?: number }): Promise<SpawnResult> {
  return new Promise((resolve, reject) => {
    const child = spawn(cmd, args, {
      shell: false,  // ← KEY: no shell interpretation
      cwd: opts?.cwd,
      timeout: opts?.timeout,
      stdio: ["ignore", "pipe", "pipe"],
    });
    // collect stdout/stderr, resolve on close
  });
}

2. Prompt validation before execution

In role execute functions, validate prompt is a string before passing to CLI:

function assertStringPrompt(prompt: unknown): string {
  if (typeof prompt !== "string") {
    throw new Error(`Expected string prompt, got ${typeof prompt}`);
  }
  return prompt;
}

3. Short prompt + .cursor/rules pattern

Keep the -p prompt short (one sentence instruction). Put coding conventions, scope constraints, and context into .cursor/rules files that cursor-agent reads automatically from the workspace.

Acceptance Criteria

• spawnSafe() utility exists with shell: false enforced
• Prompt type validation (must be string) before CLI invocation
• sense-generator workflow uses spawnSafe() for cursor-agent calls
• Unit test: prompt containing $(rm -rf /), backticks, pipes, etc. is passed literally as argv without shell interpretation
• No exec() or spawn(..., { shell: true }) used anywhere for user prompt content

---

小橘 🍊（NEKO Team）

## Background Workflow roles that invoke external CLI tools (e.g. `cursor-agent`) via `role.execute()` need to pass user-authored prompt content as CLI arguments. Naively concatenating prompt strings into shell commands opens the door to **shell injection** — any `$()`, backticks, `&&`, `|`, etc. in the prompt would be interpreted by the shell. ## Problem 1. `cursor-agent` has no `--prompt-file` or stdin prompt input — the only way to pass a prompt is via CLI args. 2. If `execute()` uses `child_process.exec()` or `spawn(..., { shell: true })`, prompt content is shell-interpreted. 3. Long prompts with special characters (quotes, backticks, `$`, newlines) break or inject. ## Solution ### 1. Safe process spawning utility Create a shared utility in `packages/core` (or `packages/daemon`) that wraps `child_process.spawn` with **`shell: false`** — prompt goes as a separate argv element, never shell-interpolated: ```typescript import { spawn } from "node:child_process"; type SpawnResult = { stdout: string; stderr: string; exitCode: number }; function spawnSafe(cmd: string, args: string[], opts?: { cwd?: string; timeout?: number }): Promise<SpawnResult> { return new Promise((resolve, reject) => { const child = spawn(cmd, args, { shell: false, // ← KEY: no shell interpretation cwd: opts?.cwd, timeout: opts?.timeout, stdio: ["ignore", "pipe", "pipe"], }); // collect stdout/stderr, resolve on close }); } ``` ### 2. Prompt validation before execution In role execute functions, validate prompt is a string before passing to CLI: ```typescript function assertStringPrompt(prompt: unknown): string { if (typeof prompt !== "string") { throw new Error(`Expected string prompt, got ${typeof prompt}`); } return prompt; } ``` ### 3. Short prompt + `.cursor/rules` pattern Keep the `-p` prompt short (one sentence instruction). Put coding conventions, scope constraints, and context into `.cursor/rules` files that cursor-agent reads automatically from the workspace. ## Acceptance Criteria - [ ] `spawnSafe()` utility exists with `shell: false` enforced - [ ] Prompt type validation (must be string) before CLI invocation - [ ] sense-generator workflow uses `spawnSafe()` for cursor-agent calls - [ ] Unit test: prompt containing `$(rm -rf /)`, backticks, pipes, etc. is passed literally as argv without shell interpretation - [ ] No `exec()` or `spawn(..., { shell: true })` used anywhere for user prompt content --- 小橘 🍊（NEKO Team）

xiaoju referenced this issue 2026-04-24 09:50:49 +00:00

refactor(core): restore type-safe workflow automaton from Pulse design #81

xiaoju referenced this issue 2026-04-24 21:57:26 +00:00

refactor: extract workflow-utils package from sense-generator #97

xingyue referenced this issue 2026-04-24 22:07:37 +00:00

refactor: extract workflow-utils package from sense-generator #97

xiaoju closed this issue 2026-04-24 22:46:52 +00:00

xiaoju commented 2026-04-24 22:46:59 +00:00

Author

Owner

Copy Link

Copy Source

Resolved by PR #98 (packages/workflow-utils).

All acceptance criteria met:

• spawnSafe() with shell: false ✅
• Prompt type validation (TypeScript strong typing) ✅
• cursorAgent() wrapper uses spawnSafe() ✅
• Injection test ($(echo BAD) passed literally as argv) ✅
• No exec() or spawn({ shell: true }) anywhere ✅

— 小橘 🍊（NEKO Team）

Resolved by PR #98 (`packages/workflow-utils`). All acceptance criteria met: - `spawnSafe()` with `shell: false` ✅ - Prompt type validation (TypeScript strong typing) ✅ - `cursorAgent()` wrapper uses `spawnSafe()` ✅ - Injection test (`$(echo BAD)` passed literally as argv) ✅ - No `exec()` or `spawn({ shell: true })` anywhere ✅ — 小橘 🍊（NEKO Team）

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

main

chore/325-workflow-cleanup

refactor/320-extract-workflow-package

refactor/318-sense-shell-only

refactor/316-followup

feat/315-shell-trigger

feat/agent-inject-claude

fix/313-state-persistence-hardening

refactor/308-stateful-sense

docs/285-workflow-naming-convention

feat/agent-inject-cursor

chore/dead-code-cleanup

chore/rfc-006-cleanup

fix/298-update-hermes-skill

refactor/rfc-006-workflow-runtime

feat/agent-inject-phase3

feat/agent-inject-phase2

refactor/rfc-006-worker-runtime

refactor/287-align-prompts-knowledge

feat/agent-inject-phase1

refactor/277-llm-adapter-four-tuple

refactor/274-single-package-workspace

refactor/core-file-consolidation

refactor/rfc-005-phase-1

chore/knowledge-cards

refactor/pure-sense-compute

feat/sense-contract

feat/workflow-meta-package

feat/role-reviewer-package

feat/rfc004-role-committer

docs/rfc-004-package-architecture

feat/254-with-dry-run

fix/136-reflex-null-on

fix/134-hot-reload-in-flight

feat/130-dryrun-defaults

fix/123-llmextract-dryrun-defaults

feat/121-workflow-exit-codes

refactor/111-split-types-generify-sense-result

refactor/110-moderator-context-restructure

refactor/109-role-step

refactor/113-logentry-timestamp

refactor/108-remove-null-unify-ts

feat/106-workspace-biome

feat/104-dryrun-utils

feat/101-dry-run

refactor/100-extract-start-signal

feat/97-workflow-utils

docs/95-update-readme-to-match-code

refactor/93-shared-ipc-types

chore/add-pre-push-hook

fix/test-failures-after-type-safety-refactor

refactor/type-safety

refactor/split-kernel

refactor/extract-nerve-store

fix/pr81-review-followups

refactor/workflow-type-safety

feat/workflow-thread-77

chore/cursor-rules-from-conventions

fix/trigger-payload-string-support

docs/readme-update

feat/init-from-git

build/tsup-to-rslib

refactor/drizzle-v1-node-sqlite

fix/walkthrough-cleanup

refactor/node-sqlite

refactor/sql-js-migration

refactor/static-imports

feat/sense-query

fix/dev-worker-crash

refactor/daemon-subcommand

fix/review-issues-46-49

feat/blob-store

fix/init-sqlite-retry

refactor/decouple-daemon-from-cli

feat/log-archive

feat/nerve-logs

fix/phase4-followup

feat/workflow-engine-phase4

feat/workflow-engine-phase3

fix/init-runtime-bugs

feat/workflow-engine-phase2

feat/workflow-engine-phase1

rfc-002-workflow

feat/phase-7-logging

feat/phase-6-hot-reload

feat/phase-5-cli-workspace

feat/phase-4-process-manager

feat/signal-bus-reflex

feat/sense-runtime

feat/phase-1-core-types

v0.4.0

v0.3.0

v0.2.0

v0.1.7

v0.1.5

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

aobing jiashuang (Jia Shuang) jiayi (Jiayi) luming scottwei tuanzi xiaoju xiaomo xiaonuo xingyue

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: uncaged/nerve#79