Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix CLI Argument Injection in Claude CLI#90

Open
rschumann wants to merge 2 commits intomainfrom
sentinel/fix-claude-cli-injection-11896545035375858919
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix CLI Argument Injection in Claude CLI#90
rschumann wants to merge 2 commits intomainfrom
sentinel/fix-claude-cli-injection-11896545035375858919

Conversation

@rschumann
Copy link
Contributor

@rschumann rschumann commented Feb 26, 2026

🚨 Severity: CRITICAL
πŸ’‘ Vulnerability: The Anthropic Claude CLI tool definition was missing the PositionalArgsSeparator configuration. This could allow a malicious user to inject arbitrary flags into the CLI command by starting their prompt with a hyphen (e.g., -).
🎯 Impact: If exploited, this could allow users to execute unintended CLI options, potentially leading to unauthorized actions or information disclosure depending on the flags supported by the underlying claude binary.
πŸ”§ Fix: Added PositionalArgsSeparator: "--" to the Anthropic Claude CLI definition in internal/cli/discovery.go. This ensures that the user prompt is always treated as a positional argument and never as a flag.
βœ… Verification: Created a new security test internal/cli/discovery_security_test.go that enforces the presence of the separator for susceptible tools (ClaudeCLI and GeminiCLI). Verified that the test passes.

Sentinel's Journal - Critical Learnings Only

Vulnerability: CLI Argument Injection via Flag Confusion
Learning: Tools that accept positional arguments as prompts MUST use a separator (--) to strictly delimit flags from positional args. Relying on the CLI tool to "guess" is insecure.
Prevention: Enforced via TestKnownTools_PositionalArgsSeparator which checks critical tool definitions.

PR created automatically by Jules for task 11896545035375858919 started by @rschumann

@google-labs-jules @rschumann
security: fix argument injection in Claude CLI
c5f104f 
- Added `PositionalArgsSeparator: "--"` to Anthropic Claude CLI definition in `internal/cli/discovery.go` to prevent flag injection.
- Added `internal/cli/discovery_security_test.go` to enforce security configuration for CLI tools.

Co-authored-by: rschumann <360788+rschumann@users.noreply.github.com>
@google-labs-jules
Copy link
Contributor

google-labs-jules bot commented Feb 26, 2026

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@google-labs-jules @rschumann
security: fix argument injection in Claude CLI and unblock CI
e7dc838 
- Added `PositionalArgsSeparator: "--"` to Anthropic Claude CLI definition in `internal/cli/discovery.go`.
- Added `internal/cli/discovery_security_test.go` to enforce security configuration for CLI tools.
- Updated `internal/discovery/discoverer_test.go` to handle upstream Codex changes.

Co-authored-by: rschumann <360788+rschumann@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rschumann