pattern-stack
diff --git a/‎src/cli_patterns/execution/subprocess_executor.py‎
Lines changed: 62 additions & 14 deletions b/‎src/cli_patterns/execution/subprocess_executor.py‎
Lines changed: 62 additions & 14 deletions
diff --git a/‎tests/integration/test_subprocess_security.py‎
Lines changed: 151 additions & 0 deletions b/‎tests/integration/test_subprocess_security.py‎
Lines changed: 151 additions & 0 deletions
@@ -13,7 +13,9 @@
 from __future__ import annotations
 
 import asyncio
+import logging
 import os
+import shlex
 from typing import Optional, Union
 
 from rich.console import Console
@@ -23,6 +25,8 @@
 from ..ui.design.registry import theme_registry
 from ..ui.design.tokens import StatusToken
 
+logger = logging.getLogger(__name__)
+
 
 class CommandResult:
     """Result of a command execution."""
@@ -83,6 +87,7 @@ async def run(
         timeout: Optional[float] = None,
         cwd: Optional[str] = None,
         env: Optional[dict[str, str]] = None,
+        allow_shell_features: bool = False,
     ) -> CommandResult:
         """Execute a command asynchronously with themed output streaming.
 
@@ -91,22 +96,40 @@ async def run(
             timeout: Command timeout in seconds (uses default if None)
             cwd: Working directory for the command
             env: Environment variables for the command
+            allow_shell_features: Allow shell features (pipes, redirects, etc.).
+                SECURITY WARNING: Only enable for trusted commands. When False,
+                command is executed without shell to prevent injection attacks.
 
         Returns:
             CommandResult with exit code and captured output
         """
         timeout = timeout or self.default_timeout
 
-        # Show running status
-        if self.stream_output:
-            running_style = theme_registry.resolve(StatusToken.RUNNING)
-            self.console.print(Text(f"Running: {command}", style=running_style))
-
-        # Prepare command
+        # Prepare command list for display and execution
         if isinstance(command, list):
+            command_list = command
             command_str = " ".join(command)
         else:
             command_str = command
+            # Parse string into list for safe execution
+            try:
+                command_list = shlex.split(command_str)
+            except ValueError as e:
+                # Invalid shell syntax
+                stderr_msg = f"Invalid command syntax: {e}"
+                if self.stream_output:
+                    error_style = theme_registry.resolve(StatusToken.ERROR)
+                    self.console.print(Text(stderr_msg, style=error_style))
+                return CommandResult(
+                    exit_code=-1,
+                    stdout="",
+                    stderr=stderr_msg,
+                )
+
+        # Show running status
+        if self.stream_output:
+            running_style = theme_registry.resolve(StatusToken.RUNNING)
+            self.console.print(Text(f"Running: {command_str}", style=running_style))
 
         # Merge environment variables
         process_env = os.environ.copy()
@@ -122,14 +145,39 @@ async def run(
         process = None  # Initialize process variable
 
         try:
-            # Create subprocess
-            process = await asyncio.create_subprocess_shell(
-                command_str,
-                stdout=asyncio.subprocess.PIPE,
-                stderr=asyncio.subprocess.PIPE,
-                cwd=cwd,
-                env=process_env,
-            )
+            # Create subprocess - use shell only if explicitly allowed
+            if allow_shell_features:
+                # SECURITY WARNING: Shell features enabled
+                logger.warning(
+                    f"Executing command with shell features enabled: {command_str}"
+                )
+                process = await asyncio.create_subprocess_shell(
+                    command_str,
+                    stdout=asyncio.subprocess.PIPE,
+                    stderr=asyncio.subprocess.PIPE,
+                    cwd=cwd,
+                    env=process_env,
+                )
+            else:
+                # Safe execution without shell (prevents injection)
+                if not command_list:
+                    stderr_msg = "Empty command"
+                    if self.stream_output:
+                        error_style = theme_registry.resolve(StatusToken.ERROR)
+                        self.console.print(Text(stderr_msg, style=error_style))
+                    return CommandResult(
+                        exit_code=-1,
+                        stdout="",
+                        stderr=stderr_msg,
+                    )
+
+                process = await asyncio.create_subprocess_exec(
+                    *command_list,
+                    stdout=asyncio.subprocess.PIPE,
+                    stderr=asyncio.subprocess.PIPE,
+                    cwd=cwd,
+                    env=process_env,
+                )
 
             # Create tasks for reading streams
             stdout_task = asyncio.create_task(
 
@@ -0,0 +1,151 @@
+"""Integration tests for subprocess security features.
+
+This module tests the security features of SubprocessExecutor, including
+command injection prevention through the allow_shell_features flag.
+"""
+
+import pytest
+
+from cli_patterns.execution.subprocess_executor import SubprocessExecutor
+
+
+@pytest.mark.asyncio
+@pytest.mark.integration
+class TestSubprocessSecurity:
+    """Test security features of SubprocessExecutor."""
+
+    async def test_safe_command_without_shell(self) -> None:
+        """Should execute safe command without shell features."""
+        executor = SubprocessExecutor(stream_output=False)
+        result = await executor.run("echo hello", allow_shell_features=False)
+
+        assert result.success
+        assert "hello" in result.stdout
+
+    async def test_blocks_command_injection_without_shell(self) -> None:
+        """Should prevent command injection when shell features disabled."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # This should fail because semicolon will be treated as literal argument
+        # The command "echo" will receive "test;whoami" as a single argument
+        result = await executor.run("echo test;whoami", allow_shell_features=False)
+
+        # Should succeed (echo accepts the argument)
+        assert result.success
+        # But semicolon should be in the output as a literal character
+        assert "test;whoami" in result.stdout or ";" in result.stdout
+
+    async def test_allows_shell_features_when_enabled(self) -> None:
+        """Should allow shell features when explicitly enabled."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # This should work with shell features enabled
+        result = await executor.run(
+            "echo hello && echo world", allow_shell_features=True
+        )
+
+        assert result.success
+        assert "hello" in result.stdout
+        assert "world" in result.stdout
+
+    async def test_pipe_fails_without_shell(self) -> None:
+        """Should not support pipes when shell features disabled."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # Pipe should not work without shell
+        result = await executor.run("echo test | cat", allow_shell_features=False)
+
+        # The command will fail because "|" will be treated as a literal argument
+        # and echo doesn't accept that as a valid option
+        assert not result.success or "|" in result.stdout
+
+    async def test_pipe_works_with_shell(self) -> None:
+        """Should support pipes when shell features enabled."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # Pipe should work with shell enabled
+        result = await executor.run("echo test | cat", allow_shell_features=True)
+
+        assert result.success
+        assert "test" in result.stdout
+
+    async def test_command_substitution_fails_without_shell(self) -> None:
+        """Should not execute command substitution without shell."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # Command substitution should not work
+        result = await executor.run("echo $(whoami)", allow_shell_features=False)
+
+        # Should treat $() as literal text
+        assert not result.success or "$" in result.stdout or "(" in result.stdout
+
+    async def test_command_substitution_works_with_shell(self) -> None:
+        """Should execute command substitution with shell features."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # Command substitution should work with shell
+        result = await executor.run("echo $(echo test)", allow_shell_features=True)
+
+        assert result.success
+        assert "test" in result.stdout
+
+    async def test_redirection_fails_without_shell(self) -> None:
+        """Should not support redirection without shell features."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # Redirection should not work
+        result = await executor.run(
+            "echo test > /tmp/test_output", allow_shell_features=False
+        )
+
+        # Should treat > as literal argument
+        assert not result.success or ">" in result.stdout
+
+    async def test_handles_commands_with_arguments(self) -> None:
+        """Should handle commands with normal arguments safely."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        result = await executor.run("echo -n hello world", allow_shell_features=False)
+
+        assert result.success
+        assert "hello world" in result.stdout or "helloworld" in result.stdout
+
+    async def test_handles_quoted_arguments(self) -> None:
+        """Should handle quoted arguments correctly."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        result = await executor.run('echo "hello world"', allow_shell_features=False)
+
+        assert result.success
+        assert "hello world" in result.stdout
+
+    async def test_default_is_safe_mode(self) -> None:
+        """Should default to safe mode (shell features disabled)."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # Without specifying allow_shell_features, should default to False
+        result = await executor.run("echo test")
+
+        assert result.success
+        assert "test" in result.stdout
+
+    async def test_invalid_command_syntax(self) -> None:
+        """Should handle invalid shell syntax gracefully."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        # Unmatched quotes should fail in shlex.split
+        result = await executor.run('echo "unterminated', allow_shell_features=False)
+
+        assert not result.success
+        assert "Invalid command syntax" in result.stderr
+
+    async def test_command_not_found(self) -> None:
+        """Should handle command not found gracefully."""
+        executor = SubprocessExecutor(stream_output=False)
+
+        result = await executor.run(
+            "nonexistent_command_xyz", allow_shell_features=False
+        )
+
+        assert not result.success
+        assert result.exit_code != 0