Fix/command injection shell (#24170)

Co-authored-by: David Pierce <davidapierce@google.com>

packages/core/src/tools/shell.ts

@@ -40,6 +40,7 @@ import {
   stripShellWrapper,
   parseCommandDetails,
   hasRedirection,
+  detectCommandSubstitution,
   normalizeCommand,
   escapeShellArg,
 } from '../utils/shell-utils.js';
@@ -443,6 +444,18 @@ export class ShellToolInvocation extends BaseToolInvocation<
     } = options;
     const strippedCommand = stripShellWrapper(this.params.command);
 
+    if (detectCommandSubstitution(strippedCommand)) {
+      return {
+        llmContent:
+          'Command injection detected: command substitution syntax ' +
+          '($(), backticks, <() or >()) found in command arguments. ' +
+          'On PowerShell, @() array subexpressions and $() subexpressions are also blocked. ' +
+          'This is a security risk and the command was blocked.',
+        returnDisplay:
+          'Blocked: command substitution detected in shell command.',
+      };
+    }
+
     if (signal.aborted) {
       return {
         llmContent: 'Command was cancelled by user before it could start.',