## Critical Command Injection Vulnerability Disclosed in ShellLayer.cpp: std::system() Call Exposes File Path Injection Risk
A high-severity security vulnerability has been identified in the codebase of an open-source project, specifically within `src/App/ShellLayer.cpp` at line 129. The flaw stems from the use of `std::system()` — a function notorious for enabling command injection attacks — combined with user-controlled file paths. The vulnerable code constructs a shell command string using direct concatenation: `"xdg-open \"" + filePath.string() + "\" &"`, then passes it to `std::system()` without sanitization. This pattern allows an attacker who can influence the `filePath` variable to inject arbitrary shell commands, potentially achieving remote code execution on affected systems.

The vulnerability affects the Linux implementation of the file-opening mechanism. According to the issue tracker, the Windows version has already been partially hardened — it employs `ShellExecuteW` for notepad operations — but retains a vulnerable fallback path. The proposed remediation involves abstracting file-opening logic into a dedicated platform layer. Tasks include creating `src/Platform/IFileOpener.h` as a formal interface, implementing a Linux-specific version using `fork()` and `exec()` with proper argument handling to avoid shell interpretation, and improving the Windows fallback. The fix also requires comprehensive test coverage for the new implementation.

The vulnerability has been labeled as `high-priority`, `security`, and `code-review` in the project's issue tracker. Documentation references in `docs/test-coverage-analysis.md` and `docs/test-coverage-implementation-guide.md` flag this as Priority 1, with an estimated remediation effort of 30 minutes. Given that `std::system()` invokes the system shell, any untrusted input reaching this code path represents a direct attack surface. Projects depending on this codebase should treat the issue as requiring urgent patching pending the platform-layer refactor.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: command-injection, std::system, vulnerability, security-patch, cpp
- **Credibility**: unverified
- **Published**: 2026-04-29 17:54:15
- **ID**: 78310
- **URL**: https://whisperx.ai/en/intel/78310