🔒 fix: prevent sudo option injection in mmdc script

.jules/sentinel.md

@@ -48,6 +48,10 @@
 **Learning:** Variables that determine file paths or download URLs, even when fetched from typically trusted external sources (like a GitHub API), must be treated as untrusted input. If an API response is manipulated or unexpected (e.g., changing a version string to `../../../etc/passwd` or embedding shell commands), it can lead to path traversal, arbitrary file writes, or URL redirection vulnerabilities.
 **Prevention:** Always validate dynamically fetched data (like tags or version strings) against strict allow-lists (using POSIX-compliant regex like `^[0-9]+\.[0-9]+\.[0-9]+$`) before interpolating them into paths, URLs, or executing them.
 
+## 2024-05-15 - Sudo Option Injection Prevention
+**Vulnerability:** Option injection during privilege escalation.
+**Learning:** When invoking `sudo` with user-controlled or variable arguments, specifically when forwarding positional parameters (`$@`), it's possible for those arguments to be interpreted as options to `sudo` itself (e.g. `-i`, `-s`, etc.) if not explicitly delimited.
+**Prevention:** Always use the end-of-options delimiter (`--`) immediately preceding the command to execute when calling `sudo` (e.g. `sudo -u "$USERNAME" -- cmd "$@"`).
 ## 2024-05-15 - Unsafe Direct Execution of Remote Script
 
 **Vulnerability:** The devcontainer feature `src/mermaid/install.sh` was directly executing remote bash scripts downloaded via `curl | bash` for NodeSource installation. This exposes the installation process to remote code execution risks if the source is compromised or a Man-in-the-Middle (MitM) attack occurs.

src/mermaid/cmd/mmdc

@@ -75,7 +75,7 @@ if [ "$EUID" -eq 0 ]; then
 else
     # Not running as root, check for sudo
     if command -v sudo &>/dev/null; then
-        sudo -u "$USERNAME" mmdc -p "$CONFIG_FILE" "$@"
+        sudo -u "$USERNAME" -- mmdc -p "$CONFIG_FILE" "$@"
     else
         echo "Error: Not root and no 'sudo' available to switch user."
         exit 1