Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in system-handlers.ts#383

Closed
google-labs-jules[bot] wants to merge 1 commit into
mainfrom
sentinel/fix-command-injection-system-handlers-3390057170719728878
Closed

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in system-handlers.ts#383
google-labs-jules[bot] wants to merge 1 commit into
mainfrom
sentinel/fix-command-injection-system-handlers-3390057170719728878

Conversation

@google-labs-jules

Copy link
Copy Markdown
Contributor
  • 🚨 Severity: CRITICAL
  • πŸ’‘ Issue: The set_cvar handler in system-handlers.ts interpolated unsanitized user inputs (rawName and value) directly into console command strings. This allowed attackers to inject arbitrary console commands (e.g., value; Quit;).
  • 🎯 Impact: Remote code execution / arbitrary console command execution within the Unreal Engine editor via the automation bridge.
  • πŸ”§ Fix: Sanitized rawName and value using sanitizeCommandArgument before interpolating them into the console command string, and updated the response payload to return the sanitized values for consistency.
  • βœ… Verification: Ran npm run lint, npm run type-check, npm run test:unit, and npm run build to verify standard functionality and ensuring no regressions occurred.
  • πŸ“ Pattern Used: Used sanitizeCommandArgument from src/utils/validation.ts applied to all dynamically inserted parts of the console command string as well as validating for empty inputs.

PR created automatically by Jules for task 3390057170719728878 started by @ChiR24

- **🚨 Severity:** CRITICAL
- **πŸ’‘ Issue:** The `set_cvar` handler in `system-handlers.ts` interpolated unsanitized user inputs (`rawName` and `value`) directly into console command strings. This allowed attackers to inject arbitrary console commands (e.g., `value; Quit;`).
- **🎯 Impact:** Remote code execution / arbitrary console command execution within the Unreal Engine editor via the automation bridge.
- **πŸ”§ Fix:** Sanitized `rawName` and `value` using `sanitizeCommandArgument` before interpolating them into the console command string, and updated the response payload to return the sanitized values for consistency.
- **βœ… Verification:** Ran `npm run lint`, `npm run type-check`, `npm run test:unit`, and `npm run build` to verify standard functionality and ensuring no regressions occurred.
- **πŸ“ Pattern Used:** Used `sanitizeCommandArgument` from `src/utils/validation.ts` applied to all dynamically inserted parts of the console command string as well as validating for empty inputs.
@google-labs-jules

Copy link
Copy Markdown
Contributor Author

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@ChiR24 ChiR24 closed this Apr 26, 2026
@ChiR24 ChiR24 deleted the sentinel/fix-command-injection-system-handlers-3390057170719728878 branch May 14, 2026 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant