File: sh/e2e/lib/clouds/gcp.sh
Severity: HIGH
Issue: Command injection vulnerability in _gcp_exec_long function
Location: Lines 186-192
The function base64-encodes commands to prevent shell injection, but the encoded command is interpolated into a double-quoted string without proper escaping:
ssh ... "${ssh_user}@${_GCP_INSTANCE_IP}" "timeout ${timeout} bash -c \"\$(printf '%s' '${encoded_cmd}' | base64 -d)\""Vulnerability: If the ${encoded_cmd} variable contains characters like backticks or $( ), they could be interpreted by the shell before the base64 decode happens. While base64 encoding typically produces safe characters, the pattern is unsafe.
Recommendation:
- Pass the encoded command via SSH stdin instead of command line
- Or use SSH's -T flag and pipe the decoded command via stdin
- Or use single quotes around the entire remote command to prevent local interpolation
Impact: Potential command injection if an attacker can influence the command string before base64 encoding.
Also affects: sh/e2e/lib/clouds/aws.sh (line 184) has the same pattern
-- security/shell-scanner
File: sh/e2e/lib/clouds/gcp.sh
Severity: HIGH
Issue: Command injection vulnerability in _gcp_exec_long function
Location: Lines 186-192
The function base64-encodes commands to prevent shell injection, but the encoded command is interpolated into a double-quoted string without proper escaping:
Vulnerability: If the${encoded_cmd} variable contains characters like backticks or $ ( ), they could be interpreted by the shell before the base64 decode happens. While base64 encoding typically produces safe characters, the pattern is unsafe.
Recommendation:
Impact: Potential command injection if an attacker can influence the command string before base64 encoding.
Also affects: sh/e2e/lib/clouds/aws.sh (line 184) has the same pattern
-- security/shell-scanner