From b9fd83a1b093d77b211e944712eb6b02a79566f6 Mon Sep 17 00:00:00 2001
From: BitterPanda <bitterpanda@proton.me>
Date: Fri, 6 Feb 2026 14:38:24 +0100
Subject: [PATCH] DangerousShellChars: Add \r and \f

---
 .../shell_injection/DangerousShellChars.java          |  2 +-
 .../shell_injection/ShellInjectionDetectorTest.java   | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java
index 82b397981..f4d24cbf8 100644
--- a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java
+++ b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/shell_injection/DangerousShellChars.java
@@ -7,7 +7,7 @@ public final class DangerousShellChars {
     private DangerousShellChars() {}
     private static final List<String> DANGEROUS_CHARS = Arrays.asList(
             "#", "!", "\"", "$", "&", "'", "(", ")", "*", ";", "<", "=", ">", "?",
-            "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~"
+            "[", "\\", "]", "^", "`", "{", "|", "}", " ", "\n", "\t", "~", "\r", "\f"
     );
 
     public static boolean containDangerousCharacter(String userInput) {
diff --git a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java
index 7b5ac880c..c2bc4d66a 100644
--- a/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java
+++ b/agent_api/src/test/java/vulnerabilities/shell_injection/ShellInjectionDetectorTest.java
@@ -439,6 +439,7 @@ void testItFlagsCommaInLoop() {
     void testCarriageReturnAsSeparator() {
         // \r (carriage return) as separator before dangerous command
         assertIsShellInjection("ls\rrm", "rm");
+        assertIsShellInjection("sleep\r5", "sleep\r5");
         assertIsShellInjection("echo test\rrm -rf /", "rm");
     }
 
@@ -446,6 +447,16 @@ void testCarriageReturnAsSeparator() {
     void testFormFeedAsSeparator() {
         // \f (form feed) as separator before dangerous command
         assertIsShellInjection("ls\frm", "rm");
+        assertIsShellInjection("sleep\f5", "sleep\f5");
         assertIsShellInjection("echo test\frm -rf /", "rm");
     }
+
+    @Test
+    void testCommandExactlyMatchesUserInputWithSeparators() {
+        // When command equals userInput and contains \r or \f separators
+        assertIsShellInjection("ls\rrm", "ls\rrm");
+        assertIsShellInjection("ls\frm", "ls\frm");
+        assertIsShellInjection("echo\rcat /etc/passwd", "echo\rcat /etc/passwd");
+        assertIsShellInjection("echo\fcat /etc/passwd", "echo\fcat /etc/passwd");
+    }
 }