Fix/secretnav

[jakehulberg]

Description 📣

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[greptile-apps]

Greptile Summary

This PR adds ITUI (Infisical Terminal UI), an AI-powered terminal interface that uses Google Gemini to translate natural language prompts into Infisical CLI commands. The feature includes a Bubble Tea-based TUI with secret browsing, environment switching, AI prompt bar, and command execution with an audit log.

• Compiled binaries committed: Two ~83MB compiled binaries (infisical and itui) are checked into the repository. These must be removed and added to .gitignore before merging.
• Command injection in secret form: The SecretCreatedMsg handler in itui.go:242 interpolates user-provided key/value directly into a command string via fmt.Sprintf without escaping. Values with spaces or flag-like content will produce malformed or unintended commands.
• run command in allowlist: The run subcommand allows arbitrary command execution after -- (e.g., infisical run -- rm -rf /). The AI could be prompt-injected into generating dangerous run commands that pass validation.
• Silent error swallowing in AI client: NewAIClient discards the error from genai.NewClient and returns a partially-initialized struct, making initialization failures hard to debug.
• No user-facing documentation: No docs were found for this new infisical tui command. How will customers discover this feature?

Confidence Score: 1/5

• This PR has critical issues (committed binaries, command injection, unsafe allowlist) that must be resolved before merging.
• Score of 1 reflects: (1) two ~83MB compiled binaries committed to the repo that will permanently bloat Git history, (2) a command injection vulnerability where form input is interpolated unsanitized into CLI commands, (3) the run subcommand in the security allowlist enabling arbitrary command execution via AI prompt injection, and (4) silent error swallowing in AI client initialization.
• Pay close attention to infisical and itui (binaries that must be removed), packages/itui/itui.go (command injection in SecretCreatedMsg handler), and packages/itui/security.go (run in the allowlist).

Important Files Changed

Filename	Overview
infisical	Compiled binary (~83MB) accidentally committed to version control. Must be removed and added to .gitignore.
itui	Compiled binary (~83MB) accidentally committed to version control. Must be removed and added to .gitignore.
packages/itui/itui.go	Main TUI orchestration. Command injection vulnerability in SecretCreatedMsg handler where user input is interpolated without escaping into command strings.
packages/itui/security.go	Command validation allowlist includes run subcommand which enables arbitrary command execution after -- separator.
packages/itui/ai.go	AI client wrapper for Gemini API. Silently swallows client initialization errors, returning a broken client instance.
packages/itui/executor.go	Command executor with validation. Uses exec.Command (not shell) which is good for security. Double-validates commands (in executeCommand and RunRaw).
packages/itui/sanitizer.go	Value sanitization for AI prompts. Regexes are recompiled on each call unnecessarily. Core sanitization logic is sound.
.gitignore	Removed /agent-testing, added .claude/worktrees/. Missing entries for compiled binaries infisical and itui.
packages/itui/components/secretform.go	Secret creation form component. No input validation on key/value before emitting SecretCreatedMsg.
go.mod	Added bubbletea, bubbles, genai dependencies. Updated lipgloss from v0.9.1 to v1.1.0 (major version bump).

_{Last reviewed commit: 128ffd8}

[greptile-apps]

_{31 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Command injection via unsanitized form input

User-provided msg.Key and msg.Value are directly interpolated into a command string via fmt.Sprintf without any escaping or quoting. A secret value containing spaces (e.g., hello world) would be split into separate arguments by splitArgs, truncating the value. More critically, a value like foo --env=prod would inject additional flags, potentially targeting a different environment than intended.

Since the executor uses exec.Command (not a shell), shell metacharacters aren't directly exploitable, but argument injection is. The value should be passed as a properly quoted argument, or better yet, the Executor.Run method should be called directly with properly separated arguments instead of constructing a raw command string:

Suggested change

	case components.SecretCreatedMsg:
	return m, m.executeCommand(
	fmt.Sprintf("infisical secrets set %s=%s --env=%s --path=%s",
	msg.Key, msg.Value, m.ctx.Environment, m.ctx.Path),
	)
	case components.SecretCreatedMsg:
	return m, m.executeCommand(
	fmt.Sprintf("infisical secrets set %s='%s' --env=%s --path=%s",
	msg.Key, strings.ReplaceAll(msg.Value, "'", "'\\''"), m.ctx.Environment, m.ctx.Path),
	)

[greptile-apps]

run subcommand in allowlist enables arbitrary command execution

The run command passes everything after -- to the system as a subprocess (e.g., infisical run --env=dev -- rm -rf /). Since ValidateCommand only checks the subcommand prefix and shell metacharacters, but not the payload after --, the AI model could be prompt-injected into generating a run command with an arbitrary and dangerous subprocess.

Consider either:

1. Removing run from the allowlist entirely, or
2. Adding validation that specifically inspects and restricts what comes after -- in run commands

[greptile-apps]

Silent error swallowing returns broken client

When genai.NewClient fails, the error is silently discarded and a &AIClient{model: "gemini-2.5-flash"} is returned with a nil client field. The caller (NewModel in itui.go) stores this and only discovers the problem later when Translate is called. This makes debugging harder — the user won't know their API key is invalid or that the client failed to initialize.

Consider returning the error or logging a warning so the user knows initialization failed:

func NewAIClient(apiKey string) (*AIClient, error) {
    client, err := genai.NewClient(context.Background(), &genai.ClientConfig{
        APIKey:  apiKey,
        Backend: genai.BackendGeminiAPI,
    })
    if err != nil {
        return nil, fmt.Errorf("failed to create AI client: %w", err)
    }
    return &AIClient{client: client, model: "gemini-2.5-flash"}, nil
}

[greptile-apps]

Delete command also vulnerable to argument injection

Similar to the SecretCreatedMsg handler, item.KeyName is interpolated directly into the command string. If a secret key name contains spaces or flag-like patterns (unlikely but possible depending on the backend), this could produce malformed or unintended commands. Consider using the Executor.Run method directly with properly separated args for all programmatically-constructed commands.

[greptile-apps]

Regex compiled inside function on every call

toPattern and eqPattern are compiled with regexp.MustCompile inside SanitizePrompt, meaning they are re-compiled every time the function is called. Since these are static patterns, they should be compiled once as package-level variables (similar to valuePatterns at the top of the file) for better performance.

Suggested change

	if isWriteOp {
	// Look for "to VALUE" pattern (most common)
	toPattern := regexp.MustCompile(`(?i)\bto\s+(\S+(?:\S*://\S+|\S+))`)
	if isWriteOp {
	// Look for "to VALUE" pattern (most common)
	if matches := writeToPattern.FindStringSubmatchIndex(sanitized); matches != nil {

Where writeToPattern and writeEqPattern are declared as package-level vars alongside valuePatterns.

[greptile-apps]

Additional Comments (1)

infisical
Compiled binaries committed to repo

Two compiled binary files (infisical at ~83MB and itui at ~83MB) have been committed to the repository. These should not be checked into version control — they bloat the repo permanently (even after deletion, Git retains them in history), make diffs unreadable, and are platform-specific. Add infisical and itui to .gitignore and remove them from tracking.