Expand tilde manually in TUI (#4827)

* Fix command injection vulnerability in TUI

The TUI was building a command string from user input via string
concatenation and passing it to `sh -c` through syscall.Exec. This
allowed shell metacharacters in any TUI input field (git URI, file
path, tokens, etc.) to be interpreted as shell commands.

Replace the `sh -c` invocation with a direct syscall.Exec of the
trufflehog binary, passing arguments as a proper argv array. This
eliminates shell interpretation entirely.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Add tilde expansion for TUI args after removing shell layer

Since sh -c was removed to fix command injection, ~/foo paths entered
in the TUI are no longer expanded by a shell. This adds a narrow
expandTilde helper that replaces a leading ~ with os.UserHomeDir()
before exec, restoring path resolution without reintroducing any
shell interpretation.

Guards against empty $HOME to prevent ~/foo silently resolving to /foo.

Made-with: Cursor

---------

Co-authored-by: Bryan Beverly <bryan.beverly@trufflesec.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

main.go

@@ -280,6 +280,28 @@ var (
 	usingTUI   = false
 )
 
+// expandTilde replaces a leading ~ in each argument with the user's home
+// directory. This compensates for bypassing the shell (which would normally
+// perform this expansion) while still avoiding shell metacharacter injection.
+func expandTilde(args []string) []string {
+	home, err := os.UserHomeDir()
+	if err != nil || home == "" {
+		return args
+	}
+	out := make([]string, len(args))
+	for i, arg := range args {
+		switch {
+		case arg == "~":
+			out[i] = home
+		case strings.HasPrefix(arg, "~/"):
+			out[i] = home + arg[1:]
+		default:
+			out[i] = arg
+		}
+	}
+	return out
+}
+
 func init() {
 	_, _ = maxprocs.Set()
 
@@ -308,12 +330,17 @@ func init() {
 			os.Exit(0)
 		}
 
-		binary, err := exec.LookPath("sh")
+		// The TUI passes user input as literal strings. Since we no longer
+		// invoke a shell, we must expand ~ ourselves so paths like ~/foo
+		// resolve correctly.
+		args = expandTilde(args)
+
+		binary, err := exec.LookPath(os.Args[0])
 		if err == nil {
 			// On success, this call will never return. On failure, fallthrough
 			// to overwriting os.Args.
-			cmd := strings.Join(append(os.Args[:1], args...), " ")
-			_ = syscall.Exec(binary, []string{"sh", "-c", cmd}, append(os.Environ(), "TUI_PARENT=true"))
+			execArgs := append([]string{binary}, args...)
+			_ = syscall.Exec(binary, execArgs, append(os.Environ(), "TUI_PARENT=true"))
 		}
 
 		// Overwrite the Args slice so overseer works properly.