Fix security concerns

cameroncooke · cameroncooke · commit 57f4714c53ba · 2025-08-17T12:20:22.000+01:00
diff --git a/src/mcp/tools/discovery/discover_tools.ts b/src/mcp/tools/discovery/discover_tools.ts
@@ -21,14 +21,28 @@ interface LLMConfig {
 }
 
 // Default LLM configuration with environment variable overrides
-const getLLMConfig = (): LLMConfig => ({
-  maxTokens: process.env.XCODEBUILDMCP_LLM_MAX_TOKENS
-    ? parseInt(process.env.XCODEBUILDMCP_LLM_MAX_TOKENS, 10)
-    : 200,
-  temperature: process.env.XCODEBUILDMCP_LLM_TEMPERATURE
-    ? parseFloat(process.env.XCODEBUILDMCP_LLM_TEMPERATURE)
-    : undefined,
-});
+const getLLMConfig = (): LLMConfig => {
+  let maxTokens = 200; // default
+  if (process.env.XCODEBUILDMCP_LLM_MAX_TOKENS) {
+    const parsed = parseInt(process.env.XCODEBUILDMCP_LLM_MAX_TOKENS, 10);
+    if (!isNaN(parsed) && parsed > 0) {
+      maxTokens = parsed;
+    }
+  }
+
+  let temperature: number | undefined;
+  if (process.env.XCODEBUILDMCP_LLM_TEMPERATURE) {
+    const parsed = parseFloat(process.env.XCODEBUILDMCP_LLM_TEMPERATURE);
+    if (!isNaN(parsed) && parsed >= 0 && parsed <= 2) {
+      temperature = parsed;
+    }
+  }
+
+  return {
+    maxTokens,
+    temperature,
+  };
+};
 
 /**
  * Sanitizes user input to prevent injection attacks and ensure safe LLM usage
diff --git a/src/mcp/tools/project-scaffolding/scaffold_ios_project.ts b/src/mcp/tools/project-scaffolding/scaffold_ios_project.ts
@@ -457,9 +457,7 @@ async function scaffoldProject(
   let templatePath;
   try {
     // Use the default command executor if not provided
-    if (!commandExecutor) {
-      commandExecutor = getDefaultCommandExecutor();
-    }
+    commandExecutor ??= getDefaultCommandExecutor();
 
     templatePath = await TemplateManager.getTemplatePath(
       platform,
diff --git a/src/utils/command.ts b/src/utils/command.ts
@@ -43,11 +43,10 @@ async function defaultExecutor(
     // For shell execution, we need to format as ['sh', '-c', 'full command string']
     const commandString = command
       .map((arg) => {
-        // If the argument contains spaces or special characters, wrap it in quotes
-        // Ensure existing quotes are escaped
-        if (/[\s,"'=]/.test(arg) && !/^".*"$/.test(arg)) {
-          // Check if needs quoting and isn't already quoted
-          return `"${arg.replace(/(["\\])/g, '\\$1')}"`; // Escape existing quotes and backslashes
+        // Shell metacharacters that require quoting: space, quotes, equals, dollar, backticks, semicolons, pipes, etc.
+        if (/[\s,"'=$`;&|<>(){}[\]\\*?~]/.test(arg) && !/^".*"$/.test(arg)) {
+          // Escape all quotes and backslashes, then wrap in double quotes
+          return `"${arg.replace(/(["\\])/g, '\\$1')}"`;
         }
         return arg;
       })
