Security: disable plugin runtime command execution primitive (#20828)

Co-authored-by: mbelinky <mbelinky@users.noreply.github.com>
2026-02-19 10:17:29 +00:00
parent 771af40913
commit 45db2aa0cd
5 changed files with 179 additions and 12 deletions
--- a/src/plugins/runtime/index.test.ts
+++ b/src/plugins/runtime/index.test.ts
@@ -0,0 +1,13 @@
+import { describe, expect, it } from "vitest";
+import { createPluginRuntime } from "./index.js";
+
+describe("plugin runtime security hardening", () => {
+  it("blocks runtime.system.runCommandWithTimeout", async () => {
+    const runtime = createPluginRuntime();
+    await expect(
+      runtime.system.runCommandWithTimeout(["echo", "hello"], { timeoutMs: 1000 }),
+    ).rejects.toThrow(
+      "runtime.system.runCommandWithTimeout is disabled for security hardening. Use fixed-purpose runtime APIs instead.",
+    );
+  });
+});
--- a/src/plugins/runtime/index.ts
+++ b/src/plugins/runtime/index.ts
@@ -105,7 +105,6 @@ import {
  readChannelAllowFromStore,
  upsertChannelPairingRequest,
 } from "../../pairing/pairing-store.js";
-import { runCommandWithTimeout } from "../../process/exec.js";
 import { resolveAgentRoute } from "../../routing/resolve-route.js";
 import { monitorSignalProvider } from "../../signal/index.js";
 import { probeSignal } from "../../signal/probe.js";
@@ -236,6 +235,13 @@ function loadWhatsAppActions() {
  return whatsappActionsPromise;
 }

+const runtimeCommandExecutionDisabled: PluginRuntime["system"]["runCommandWithTimeout"] =
+  async () => {
+    throw new Error(
+      "runtime.system.runCommandWithTimeout is disabled for security hardening. Use fixed-purpose runtime APIs instead.",
+    );
+  };
+
 export function createPluginRuntime(): PluginRuntime {
  return {
    version: resolveVersion(),
@@ -245,7 +251,7 @@ export function createPluginRuntime(): PluginRuntime {
    },
    system: {
      enqueueSystemEvent,
-      runCommandWithTimeout,
+      runCommandWithTimeout: runtimeCommandExecutionDisabled,
      formatNativeDependencyHint,
    },
    media: {
--- a/src/plugins/runtime/types.ts
+++ b/src/plugins/runtime/types.ts
@@ -184,6 +184,7 @@ export type PluginRuntime = {
  };
  system: {
    enqueueSystemEvent: EnqueueSystemEvent;
+    /** @deprecated Runtime command execution is disabled at runtime for security hardening. */
    runCommandWithTimeout: RunCommandWithTimeout;
    formatNativeDependencyHint: FormatNativeDependencyHint;
  };