Skip to content

fix(selfhost): validate ready retry settings#5146

Merged
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-bash-arithmetic-injection
Jul 12, 2026
Merged

fix(selfhost): validate ready retry settings#5146
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-bash-arithmetic-injection

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • The self-host post-update readiness probe accepted SELFHOST_READY_RETRIES and SELFHOST_READY_RETRY_DELAY_SECONDS directly from the environment and used them in a Bash arithmetic expansion, allowing arithmetic-expression/command-substitution injection on the failure path.
  • The intent is to harden the probe against malicious or malformed env values while preserving the existing retry behaviour and messages.

Description

  • Validate SELFHOST_READY_RETRIES and SELFHOST_READY_RETRY_DELAY_SECONDS as decimal integers and emit a warning and fallback to safe defaults when invalid in scripts/selfhost-post-update-check.sh.
  • Compute a prevalidated READY_TIMEOUT_SECONDS using 10# to force decimal interpretation and use it in the readiness failure message to avoid evaluating untrusted input inside $((...)).
  • Replace the vulnerable inline arithmetic expansion in the error message with the precomputed READY_TIMEOUT_SECONDS and reuse the sanitized READY_RETRIES/READY_RETRY_DELAY_SECONDS values for loop/sleep calls.
  • Add a regression unit test test/unit/selfhost-post-update-check-script.test.ts that runs the real script with mocked docker, curl, and sleep to assert non-numeric injection strings do not execute and that the validated timeout calculation is reported; also regenerate worker-configuration.d.ts to satisfy local drift checks.

Testing

  • Ran npx vitest run test/unit/selfhost-post-update-check-script.test.ts and the two new tests passed.
  • Ran git diff --check and the local formatting/checks for the changed files passed.
  • Ran npm run cf-typegen to regenerate Cloudflare runtime types and committed the updated worker-configuration.d.ts successfully.
  • Attempted the full gate npm run test:ci and npm audit --audit-level=moderate; test:ci reached test:coverage where unrelated existing test-suite failures appeared and the run was stopped, and npm audit returned a 403 Forbidden from the registry audit endpoint (these are unrelated to the patch itself).

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@JSONbored JSONbored self-assigned this Jul 12, 2026
@JSONbored
JSONbored force-pushed the codex/propose-fix-for-bash-arithmetic-injection branch from c390f6a to e603634 Compare July 12, 2026 09:01
@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.34%. Comparing base (448dd3e) to head (e603634).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5146   +/-   ##
=======================================
  Coverage   94.34%   94.34%           
=======================================
  Files         473      473           
  Lines       39965    39965           
  Branches    14570    14570           
=======================================
  Hits        37704    37704           
  Misses       1585     1585           
  Partials      676      676           
Flag Coverage Δ
shard-1 46.33% <ø> (ø)
shard-2 34.67% <ø> (ø)
shard-3 30.89% <ø> (-1.11%) ⬇️
shard-4 33.08% <ø> (+1.10%) ⬆️
shard-5 33.75% <ø> (+<0.01%) ⬆️
shard-6 44.84% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JSONbored
JSONbored merged commit 0b8bc5d into main Jul 12, 2026
18 checks passed
@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 12, 2026
@JSONbored
JSONbored deleted the codex/propose-fix-for-bash-arithmetic-injection branch July 12, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant