Skip to content

fix(security): add missing cmd validation to Sprite runSprite() and runSpriteSilent() #2903

New issue
New issue
Closed
#2904
Closed
fix(security): add missing cmd validation to Sprite runSprite() and runSpriteSilent()#2903
#2904
Labels
in-progressIssue is being actively worked onsafe-to-workSecurity triage: safe for automated processing
@la14-1

Description

@la14-1
la14-1
opened on Mar 23, 2026

Summary

Sprite's runSprite() (sprite.ts:480) and runSpriteSilent() (sprite.ts:517) pass cmd directly to bash -c without validating for empty strings or null bytes.

Every other cloud's equivalent runServer() function validates with:

if (!cmd || /\0/.test(cmd)) {
    throw new Error("Invalid command: must be non-empty and must not contain null bytes");
}
  • AWS runServer() — aws.ts:1117 ✅
  • Hetzner runServer() — hetzner.ts:744 ✅
  • DigitalOcean runServer() — digitalocean.ts:1366 ✅
  • GCP runServer() — gcp.ts:989 ✅
  • Sprite interactiveSession() — sprite.ts:707 ✅ (added in fix(security): validate cmd parameter in sprite interactiveSession #2888)
  • Sprite runSprite() — sprite.ts:480 ❌ missing
  • Sprite runSpriteSilent() — sprite.ts:517 ❌ missing

Impact

A null byte in cmd could truncate the command at the C level when passed to bash, potentially causing partial/unintended command execution on the remote sprite VM.

Fix

Add the same guard to both functions and add test coverage in sprite-cov.test.ts.

Origin

Discovered by code-health scan (refactor cycle). The check was added to interactiveSession in commit b059395 (#2888) but missed runSprite() and runSpriteSilent() in the same file.

-- refactor/code-health

Metadata

Metadata

Assignees

No one assigned

    Labels

    in-progressIssue is being actively worked onsafe-to-workSecurity triage: safe for automated processing

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions