🛡️ Sentinel: [HIGH] Fix Web UI CLI Command Execution Vulnerability

[SlasshyOverhere]

🛡️ Sentinel: [HIGH] Fix Web UI CLI Command Execution Vulnerability

🚨 Severity: HIGH
💡 Vulnerability: The Web UI's /api/cli/run endpoint allowed execution of interactive, non-web, or destructive CLI commands (like vault2fa, sync, totp, etc.). This could lead to a severe security risk as the interactive shell prompts are bypassed or data could be overwritten without intended constraints.
🎯 Impact: Attackers or malicious scripts (via XSRF/CSRF, or a compromised browser) could trigger arbitrary internal commands that alter critical vault state, overwrite configs, or start interactive tasks that cause hangs or unwanted behavior.
🔧 Fix: Added all interactive and dangerous commands (vault2fa, totp, sync, duress, autolock, settings, theme, update, desktop) to the BLOCKED_WEB_CLI_COMMANDS Set in src/webui/server.ts to explicitly block them from execution over HTTP endpoints.
✅ Verification: Ran pnpm test and pnpm lint to ensure everything works properly and the change hasn't broken existing functionality.

---

PR created automatically by Jules for task 8894548285912197306 started by @SlasshyOverhere

Summary by CodeRabbit

• Bug Fixes
  • Blocked additional CLI commands from being executed via the Web UI, including vault2fa, totp, sync, duress, autolock, settings, theme, update, and desktop commands.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR expands the BLOCKED_WEB_CLI_COMMANDS blocklist in the Web UI server by adding nine CLI subcommands (vault2fa, totp, sync, duress, autolock, settings, theme, update, desktop) that are now prevented from execution via the Web UI interface.

Changes

Cohort / File(s)	Summary
Security: Web UI CLI Command Blocklist src/webui/server.ts	Expanded the BLOCKED_WEB_CLI_COMMANDS array to prevent nine additional sensitive CLI commands from being executed through the Web UI, protecting against unauthorized access to vault, authentication, synchronization, and system configuration operations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• PR #54 — Also modifies the BLOCKED_WEB_CLI_COMMANDS blocklist in src/webui/server.ts to prevent additional CLI commands from running via the Web UI.

Poem

🐰 Nine commands now blocked with care,
Vault and totp locked away fair,
Web UI stays tight and secure,
No sneaky duress shall endure! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title uses an emoji and severity tag that obscure the core change. While it references a vulnerability fix, the actual change is about blocking specific CLI commands from the Web UI, which the title doesn't convey clearly.	Consider a clearer title like 'Block dangerous CLI commands from Web UI' that directly describes the changeset without decorative elements or severity labels.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-block-cli-commands-8894548285912197306

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/webui/server.ts`:
- Line 50: The blocklist currently defined in BLOCKED_WEB_CLI_COMMANDS is
bypassable via CLI aliases because /api/cli/run only exact-matches the first
token; update the enforcement to canonicalize the incoming command token(s)
before checking (normalize hyphens/underscores and common alias mappings such as
2fa-setup → vault2fa, vault-2fa → vault2fa, 2fa → totp, panic → duress) or
alternatively expand BLOCKED_WEB_CLI_COMMANDS to include those alias variants,
and ensure the check in the /api/cli/run handler uses the normalized token (not
raw string) when deciding to block execution.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 61f9bcc0-7b5a-439b-9c2f-02ca9f4fda95

📥 Commits

Reviewing files that changed from the base of the PR and between 1cdcca9 and 5982a3d.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• src/webui/server.ts

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Blocklist is still bypassable via CLI aliases.

At Line 50, the new blocked commands omit known aliases; at Lines 533-536, enforcement is exact-match on the first token.
2fa-setup, vault-2fa, 2fa, and panic can still reach blocked handlers (vault2fa/totp/duress) through /api/cli/run.

🔒 Proposed fix

-const BLOCKED_WEB_CLI_COMMANDS = new Set(['web', 'ui', 'destruct', 'init', 'auth', 'delete', 'vault2fa', 'totp', 'sync', 'duress', 'autolock', 'settings', 'theme', 'update', 'desktop']);
+const BLOCKED_WEB_CLI_COMMANDS = new Set([
+  'web', 'ui', 'destruct', 'init', 'auth', 'delete',
+  'vault2fa', 'vault-2fa', '2fa-setup', '2fa', 'totp',
+  'sync', 'duress', 'panic', 'autolock', 'settings', 'theme', 'update', 'desktop',
+]);

If you want a more robust fix, canonicalize aliases before checking (or switch /api/cli/run to an explicit allowlist of safe non-interactive commands).

Also applies to: 533-536

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/webui/server.ts` at line 50, The blocklist currently defined in
BLOCKED_WEB_CLI_COMMANDS is bypassable via CLI aliases because /api/cli/run only
exact-matches the first token; update the enforcement to canonicalize the
incoming command token(s) before checking (normalize hyphens/underscores and
common alias mappings such as 2fa-setup → vault2fa, vault-2fa → vault2fa, 2fa →
totp, panic → duress) or alternatively expand BLOCKED_WEB_CLI_COMMANDS to
include those alias variants, and ensure the check in the /api/cli/run handler
uses the normalized token (not raw string) when deciding to block execution.

[Copilot]

Pull request overview

This PR aims to harden the Web UI’s /api/cli/run endpoint by preventing execution of high-risk CLI commands when invoked over HTTP.

Changes:

• Expanded BLOCKED_WEB_CLI_COMMANDS in the Web UI server to deny more commands via /api/cli/run.
• Added a pnpm-lock.yaml lockfile to the repository.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/webui/server.ts	Expands the Web UI CLI denylist used by /api/cli/run.
pnpm-lock.yaml	Introduces a pnpm lockfile (appears unrelated to the security fix and conflicts with existing npm-based workflow).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

runCliCommand blocks the delete command, but the CLI exposes delete with an alias rm (see src/index.ts). As a result, /api/cli/run can still delete entries by calling rm (e.g. rm --force ...), so the security fix is incomplete. Add rm (and any other destructive aliases) to BLOCKED_WEB_CLI_COMMANDS, or change the check to block based on Commander-resolved command name rather than the raw first token.

Suggested change

	const BLOCKED_WEB_CLI_COMMANDS = new Set(['web', 'ui', 'destruct', 'init', 'auth', 'delete', 'vault2fa', 'totp', 'sync', 'duress', 'autolock', 'settings', 'theme', 'update', 'desktop']);
	const BLOCKED_WEB_CLI_COMMANDS = new Set(['web', 'ui', 'destruct', 'init', 'auth', 'delete', 'rm', 'vault2fa', 'totp', 'sync', 'duress', 'autolock', 'settings', 'theme', 'update', 'desktop']);

[Copilot]

pnpm-lock.yaml is being added, but the repo’s CI and scripts use npm (npm ci, npm run build/lint/test) and the canonical lockfile in the repository is package-lock.json. Adding a pnpm lockfile without switching the toolchain will cause churn/confusion and can desync dependency resolution. Please remove pnpm-lock.yaml from this PR (or, if the intent is to migrate to pnpm, update CI/scripts/documentation and remove package-lock.json in a dedicated PR).