added @ and + to dangerous patterns and updated syntax for feed.json

Author: ekang7

crates/chat-cli/src/cli/chat/tools/execute/mod.rs

@@ -59,7 +59,9 @@ impl ExecuteCommand {
         let Some(args) = shlex::split(&self.command) else {
             return true;
         };
-        const DANGEROUS_PATTERNS: &[&str] = &["<(", "$(", "`", ">", "&&", "||", "&", ";", "$", "\n", "\r", "IFS"];
+        const DANGEROUS_PATTERNS: &[&str] = &[
+            "<(", "$(", "`", ">", "&&", "||", "&", ";", "$", "\n", "\r", "IFS", "@", "+",
+        ];
 
         if args
             .iter()
@@ -442,6 +444,8 @@ mod tests {
             ("echo 'test\nrm file'", true),
             ("echo 'test\rrm file'", true),
             ("IFS=/ malicious", true),
+            (r#"/c/"+"/m/"+"/d/.exe"#, true),
+            ("$^(calc.exe)", true),
         ];
         for (cmd, expected) in cmds {
             let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({

crates/chat-cli/src/cli/feed.json

@@ -21,7 +21,8 @@
           "description": "Right arrow key being disabled - [#3439](https://github.com/aws/amazon-q-developer-cli/pull/3439)"
         }
       ]
-    }{
+    },
+    {
       "type": "release",
       "date": "2025-11-12",
       "version": "1.19.5",
@@ -1382,4 +1383,4 @@
       "link": "https://aws.amazon.com/blogs/aws/amazon-q-developer-now-generally-available-includes-new-capabilities-to-reimagine-developer-experience/"
     }
   ]
-}
+}