Prevent injection in help.

Author: dblock

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2025-10-01 17:05:23 UTC using RuboCop version 1.81.1.
+# on 2025-10-01 17:50:25 UTC using RuboCop version 1.81.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -44,7 +44,7 @@ RSpec/ContextWording:
     - 'spec/slack-api-explorer/commands/slack_spec.rb'
     - 'spec/support/api/endpoints/it_behaves_like_a_cursor_api.rb'
 
-# Offense count: 10
+# Offense count: 12
 # Configuration parameters: CountAsOne.
 RSpec/ExampleLength:
   Max: 27
@@ -88,7 +88,7 @@ RSpec/RepeatedExampleGroupDescription:
   Exclude:
     - 'spec/api/endpoints/teams_endpoint_spec.rb'
 
-# Offense count: 8
+# Offense count: 9
 # Configuration parameters: CustomTransform, IgnoreMethods, IgnoreMetadata.
 RSpec/SpecFilePathFormat:
   Exclude:
@@ -98,6 +98,7 @@ RSpec/SpecFilePathFormat:
     - 'spec/api/robots_spec.rb'
     - 'spec/api/swagger_documentation_spec.rb'
     - 'spec/slack-api-explorer/commands/default_spec.rb'
+    - 'spec/slack-api-explorer/commands/help_spec.rb'
     - 'spec/slack-api-explorer/commands/slack_spec.rb'
     - 'spec/slack-api-explorer/commands/unknown_spec.rb'
     - 'spec/slack-api-explorer/version_spec.rb'
@@ -123,4 +124,4 @@ RSpec/VoidExpect:
 # Configuration parameters: AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, IgnoreCopDirectives, AllowedPatterns, SplitStrings.
 # URISchemes: http, https
 Layout/LineLength:
-  Max: 175
+  Max: 226

slack-api-explorer/commands/help.rb

@@ -3,7 +3,9 @@ module Commands
     class Help < SlackRubyBot::Commands::Base
       def self.help_for(expression = nil)
         @help ||= {}
-        @help[expression] ||= '```' + `slack help #{expression}`.gsub(/^(    )/, '') + '```'
+        expression = Shellwords.join(['slack', 'help', Shellwords.parse(expression).compact].flatten)
+        result, _ = Open3.capture2e(expression)
+        @help[expression] ||= "```\n" + result.gsub(/^(    )/, '').strip + "\n```"
       end
 
       def self.commands
@@ -46,9 +48,12 @@ def self.commands
 
       def self.call(client, data, match)
         expression = match['expression'] if match.names.include?('expression')
-        help = expression && !expression.empty? ? help_for(expression) : HELP
-        client.say(channel: data.channel, text: [help, SlackApiExplorer::INFO].join("\n"))
-        logger.info "HELP: #{client.owner} - #{data.user}"
+        if expression && !expression.empty?
+          client.say(channel: data.channel, text: help_for(expression))
+        else
+          client.say(channel: data.channel, text: [HELP, INFO].join("\n"))
+        end
+        logger.info "HELP: #{client.owner}, user=#{data.user}, for=#{expression || 'help'}"
       end
     end
   end

slack-api-explorer/commands/slack.rb

@@ -9,9 +9,10 @@ def self.call(client, data, match)
         expression = match['expression']
         expression = ::Slack::Messages::Formatting.unescape(expression)
         expression.gsub! '—', '--'
-        logger.info "SLACK: #{client.owner} - #{expression}"
+        logger.info "SLACK: #{client.owner}, cmd=#{expression}"
         args, pipe = Shellwords.parse(expression)
-        output, error, _ = Open3.capture3(* ['slack', '--slack-api-token', client.owner.token, args].flatten)
+        cmd = Shellwords.shelljoin(['slack', '--slack-api-token', client.owner.token, args].flatten)
+        output, error, _ = Open3.capture3(cmd)
         error&.strip!
         output&.strip!
         if error && !error.blank?

spec/slack-api-explorer/commands/help_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+describe SlackApiExplorer::Commands::Help do
+  let!(:team) { Fabricate(:team) }
+  let(:app) { SlackApiExplorer::Server.new(team: team) }
+  let(:client) { app.send(:client) }
+  let(:message_hook) { SlackRubyBot::Hooks::Message.new }
+
+  it 'displays help' do
+    expect(message: "#{SlackRubyBot.config.user} help").to respond_with_slack_message(
+      [
+        SlackApiExplorer::Commands::Help::HELP,
+        SlackApiExplorer::INFO
+      ].join("\n")
+    )
+  end
+
+  it 'displays command help' do
+    expect(message: "#{SlackRubyBot.config.user} help auth").to respond_with_slack_message(
+      "```\nNAME\nauth - Auth methods.\n\nSYNOPSIS\n\nslack [global options] auth revoke [--test arg]\n\nslack [global options] auth test\n\nCOMMANDS\nrevoke - Revokes a token.\ntest   - Checks authentication & identity.\n```"
+    )
+  end
+
+  it 'does not inject ;' do
+    expect(message: "#{SlackRubyBot.config.user} help auth ; ls").to respond_with_slack_message(
+      "```\nerror: Unknown command ';'.  Use 'slack help' for a list of commands.\n```"
+    )
+  end
+end

spec/slack-api-explorer/commands/slack_spec.rb

@@ -93,7 +93,14 @@
   context 'chat postMessage' do
     it 'unescapes channel' do
       allow(Open3).to receive(:capture3).and_return(JSON.dump(ok: true), nil)
-      expect(Open3).to receive(:capture3).with('slack', '--slack-api-token', client.token, 'chat', 'postMessage', '--text', 'Hello World', '--channel', '#C04KB5X4D')
+      expect(Open3).to receive(:capture3).with(
+        Shellwords.join(
+          [
+            'slack', '--slack-api-token', client.token, 'chat', 'postMessage', '--text', 'Hello World', '--channel',
+            '#C04KB5X4D'
+          ]
+        )
+      )
       expect(message: "#{SlackRubyBot.config.user} chat postMessage --text 'Hello World' --channel <#C04KB5X4D>").to respond_with_slack_message("```\n{\n  \"ok\": true\n}```")
     end
   end