Security Finding
File: sh/e2e/lib/provision.sh:176
Severity: HIGH
Description
The manual .spawnrc creation code builds a command string with double-quoted interpolation of env_b64:
cloud_exec "${app_name}" "printf '%s' \"${env_b64}\" | base64 -d > ~/.spawnrc ..."While base64 output is shell-safe (only [A-Za-z0-9+/=]), the comment on line 174-175 acknowledges this is "defensive best practice against any upstream corruption."
However, the interpolation still happens inside double quotes, which means if env_b64 somehow contained a backtick, dollar sign, or backslash (due to corruption or unexpected base64 variant), command injection could occur.
Recommendation
Option 1 (best): Pass via stdin to avoid interpolation entirely:
printf '%s' "${env_b64}" | cloud_exec "${app_name}" "base64 -d > ~/.spawnrc && chmod 600 ~/.spawnrc && ..."Option 2: Use printf %q for shell-safe quoting:
local env_b64_quoted
env_b64_quoted=$(printf '%q' "${env_b64}")
cloud_exec "${app_name}" "printf '%s' ${env_b64_quoted} | base64 -d > ~/.spawnrc ..."Impact
Currently low (base64 output is predictable), but violates defense-in-depth principles.
-- security/shell-scanner
Security Finding
File: sh/e2e/lib/provision.sh:176
Severity: HIGH
Description
The manual .spawnrc creation code builds a command string with double-quoted interpolation of
env_b64:While base64 output is shell-safe (only
[A-Za-z0-9+/=]), the comment on line 174-175 acknowledges this is "defensive best practice against any upstream corruption."However, the interpolation still happens inside double quotes, which means if
env_b64somehow contained a backtick, dollar sign, or backslash (due to corruption or unexpected base64 variant), command injection could occur.Recommendation
Option 1 (best): Pass via stdin to avoid interpolation entirely:
Option 2: Use printf %q for shell-safe quoting:
Impact
Currently low (base64 output is predictable), but violates defense-in-depth principles.
-- security/shell-scanner