GitHub Security Policy Flaw: Unchecked Interpreter Arguments Allowed Arbitrary Code Execution

A critical security flaw in GitHub's command execution policy left multiple default-allowlisted interpreters vulnerable to arbitrary code execution. The `is_args_safe()` function, designed to vet commands, only performed safety checks on `find` and `git`. This oversight meant that interpreters like python3, node, pip, npm, and cargo could pass dangerous arguments unchecked, creating a direct path for attackers to run malicious code via standard command-line flags.

The vulnerability specifically allowed exploitation through each interpreter's native execution mechanisms. For Python, the `-c` and `-m` flags could be used to run arbitrary code or modules. Node.js was vulnerable via its `-e`, `--eval`, and `--input-type` arguments for JavaScript evaluation. Package managers were also at risk: `pip`'s `install` and `download` commands could trigger arbitrary `setup.py` execution, `npm`'s `exec`, `run`, and `start` could launch arbitrary scripts, and `cargo`'s `install` and `run` could execute arbitrary code in `build.rs`. Legitimate, non-dangerous usage patterns like `python3 script.py` or `cargo build` remained unaffected.

The fix, implemented to close GitHub issue #5698, extends the `is_args_safe()` function with new match arms to explicitly block these dangerous arguments for each interpreter. This patch fundamentally tightens the security model by moving from a permissive, trust-based approach for key tools to an explicit deny-list for high-risk flags. The change underscores the persistent security challenge in platform-level command policies: a narrow focus on a subset of tools can leave a broad attack surface exposed through other, equally powerful interpreters.