# Vulnerability Summary: Branch Monkey Command Injection Vulnerability ## Overview * **Vulnerability Name**: Branch Monkey Command Injection via `/api/local-claude/time-machine/preview` * **Vulnerability Type**: OS Command Injection (CWE-78 / CWE-88) * **Severity**: Critical (CVSS v3.1 Score 9.8) * **Root Cause**: The `/api/local-claude/time-machine/preview` endpoint receives user input in the `dev_script` field and directly concatenates it into a shell command, which is executed via `subprocess.Popen(..., shell=True)`. An attacker can achieve arbitrary command execution by crafting a `dev_script` containing special characters such as `;`, `&&`, `$()`. ## Impact Scope * **Affected Products**: Branch Monkey MCP / Company local bridge * **Affected Versions**: `gtyal/p_69_branch_monkey_mcp` (Commit `gtyal79`) * **Prerequisites**: 1. Attacker must have access to the local bridge HTTP endpoint. 2. Attacker must provide a valid `project_path` (pointing to a local Git repository) and `commit_sha` (existing in that repository). ## Remediation Plan 1. **Remove Shell Execution**: Completely remove the shell execution functionality for `dev_script`. 2. **Whitelist Mechanism**: Replace free-form commands with a small set of known safe predefined commands. 3. **Parameterized Invocation**: If custom commands are necessary, use strict validation with an `arg list` and avoid using the shell. 4. **Code-Level Fix**: Replace `subprocess.Popen(command, shell=True, ...)` with a non-shell, `arg`-based invocation method. 5. **Input Validation**: Treat the preview command from requests as structured configuration rather than raw shell strings, and add regression tests covering metacharacters (e.g., `;`, `&&`, backticks, `$()`). ## POC Code ```http POST /api/local-claude/time-machine/preview HTTP/1.1 Host: target-host Content-Type: application/json { "commit_sha": "existing_commit_sha", "project_path": "/path/to/local/git/repo", "dev_script": "touch /tmp/codex_cmd_poc; python3 -m http.server {port}" } ```