From 9b9e7e96ff6f3fd97fc3fbbaacee2a273983f68f Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 15 May 2026 20:11:17 +0000
Subject: [PATCH] fix: prevent sudo option injection in mmdc script

Add `--` delimiter to `sudo` execution in `src/mermaid/cmd/mmdc` to prevent option injection vulnerabilities when passing arguments via `$@`.

Co-authored-by: MiguelRodo <23501332+MiguelRodo@users.noreply.github.com>
---
 .jules/sentinel.md   | 5 +++++
 src/mermaid/cmd/mmdc | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index 07a79d5..e9d3971 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -47,3 +47,8 @@
 **Vulnerability:** Path/URL manipulation and injection caused by unvalidated dynamic variables (e.g., dynamically fetching latest version strings via API calls).
 **Learning:** Variables that determine file paths or download URLs, even when fetched from typically trusted external sources (like a GitHub API), must be treated as untrusted input. If an API response is manipulated or unexpected (e.g., changing a version string to `../../../etc/passwd` or embedding shell commands), it can lead to path traversal, arbitrary file writes, or URL redirection vulnerabilities.
 **Prevention:** Always validate dynamically fetched data (like tags or version strings) against strict allow-lists (using POSIX-compliant regex like `^[0-9]+\.[0-9]+\.[0-9]+$`) before interpolating them into paths, URLs, or executing them.
+
+## 2024-05-15 - Sudo Option Injection Prevention
+**Vulnerability:** Option injection during privilege escalation.
+**Learning:** When invoking `sudo` with user-controlled or variable arguments, specifically when forwarding positional parameters (`$@`), it's possible for those arguments to be interpreted as options to `sudo` itself (e.g. `-i`, `-s`, etc.) if not explicitly delimited.
+**Prevention:** Always use the end-of-options delimiter (`--`) immediately preceding the command to execute when calling `sudo` (e.g. `sudo -u "$USERNAME" -- cmd "$@"`).
diff --git a/src/mermaid/cmd/mmdc b/src/mermaid/cmd/mmdc
index eedfa0d..c3d2b39 100644
--- a/src/mermaid/cmd/mmdc
+++ b/src/mermaid/cmd/mmdc
@@ -75,7 +75,7 @@ if [ "$EUID" -eq 0 ]; then
 else
     # Not running as root, check for sudo
     if command -v sudo &>/dev/null; then
-        sudo -u "$USERNAME" mmdc -p "$CONFIG_FILE" "$@"
+        sudo -u "$USERNAME" -- mmdc -p "$CONFIG_FILE" "$@"
     else
         echo "Error: Not root and no 'sudo' available to switch user."
         exit 1