Description

🚨 CRITICAL SECURITY FIX: Command Injection Vulnerability

Fixed a critical command injection vulnerability in searchTasksWithCommand() that allowed arbitrary system command execution through malicious search queries.

The Problem:

// VULNERABLE CODE - User input directly in shell command
const cmd = `grep -r --include="*.json" "${userQuery}" "${memoryDir}"`;
const { stdout } = await execPromise(cmd);

Attack Example:
If a user searched for: "; rm -rf /; echo "

The executed command would become:

grep -r --include="*.json" ""; rm -rf /; echo "" "/path/to/memory"

This would:

1. Execute an empty grep search
2. Delete the entire filesystem (rm -rf /)
3. Echo an empty string

The Fix:

// SECURE CODE - Arguments passed as array, no shell interpretation  
const args = ['-r', '--include=*.json', cleanQuery, memoryDir];
const result = spawnSync('grep', args, { encoding: 'utf8' });

Impact: Prevents system compromise while maintaining all search functionality.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

• npm run build - Successful compilation
• Verified search functionality remains intact

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (README.md, CHANGELOG.md)
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have checked to ensure my PR is focused on a single feature/fix
• I have updated the version number in package.json