Skip to content

Command injection via hook system + plaintext credentials on disk + write tool path traversal #4

Description

@consigcody94

Found via code audit.

1. Command injection via hooks (HIGH) - `src/hooks.rs:194-199`: `${TOOL_INPUT}` interpolated into `sh -c` command. Shell metacharacters in tool input execute arbitrary commands.

2. Credentials stored plaintext (HIGH) - `src/auth.rs:254-260`: OAuth tokens written to `~/.config/aionrs/auth.json` with default permissions.

3. API keys in plaintext config (HIGH) - `src/config.rs:70-71`: `api_key` stored directly in TOML with no permission checks.

4. Write tool path traversal (HIGH) - `src/tools/write.rs:44-56`: No path validation. AI agent can write to `/etc/passwd`, `~/.ssh/authorized_keys`.

5. UTF-8 truncation panic (HIGH) - `src/tools/orchestration.rs:225-246`: Byte-offset string slicing panics on multibyte characters.

6. Weak session ID (HIGH) - `src/session.rs:226-233`: Only 24 bits of entropy from `subsec_nanos()`.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions