Skip to content

Security: fix prompt injection, shell execution, and API key exposure#12216

Open
johnpippett wants to merge 2 commits intoRooCodeInc:mainfrom
johnpippett:security/critical-fixes-2026-04-28
Open

Security: fix prompt injection, shell execution, and API key exposure#12216
johnpippett wants to merge 2 commits intoRooCodeInc:mainfrom
johnpippett:security/critical-fixes-2026-04-28

Conversation

@johnpippett
Copy link
Copy Markdown

@johnpippett johnpippett commented Apr 28, 2026
edited by roomote-v0 Bot
Loading

Fixes critical security findings:

  1. Prompt injection via terminal/browser output: Added sanitizeForPromptInjection() helper and applied it to command output, file reads, and extracted text before returning to the LLM.
  2. Shell meta-interpretation: Changed ExecaTerminalProcess from shell: true to shell: false.
  3. API key exposure: Redacted secrets in getStateToPostToWebview() and fixed ROO_REDACTED round-trip handling.

All type checks, lint, and tests pass.

Interactively review PR in Roo Code Cloud

@johnpippett
fix: sanitize tool outputs to prevent command/file prompt injection
3bcd746 
Escape potential XML/HTML-like tags in untrusted tool outputs
(command output, file contents, binary extraction) before they are
fed back into the LLM context. This mitigates indirect prompt
injection via malicious file contents or shell output.

- Add sanitizeForPromptInjection() helper to text-normalization
- Apply sanitization in ExecuteCommandTool result formatting
- Apply sanitization in ReadFileTool text and binary paths
- Apply sanitization in extract-text binary extractors
@johnpippett
fix: shell meta-interpretation and API key exposure
4016f41 
- Change ExecaTerminalProcess shell option from true to false so execa
  parses the command without invoking a shell, preventing shell
  metacharacter interpretation.
- Redact secret API keys in getStateToPostToWebview() before serializing
  state to the webview renderer.
- Preserve existing secret values in ProviderSettingsManager.saveConfig()
  when the webview round-trips the '__ROO_REDACTED__' sentinel.
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Apr 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

@hannesrudolph hannesrudolph Awaiting requested review from hannesrudolph hannesrudolph is a code owner

@daniel-lxs daniel-lxs Awaiting requested review from daniel-lxs daniel-lxs is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnpippett