[Bug]: /etc/spawn/secrets is shell-sourced — escape user-supplied api_key values or stop sourcing

[la14-1]

Context

Follow-up from the security review of #3360 (--repo / spawn.md api_key steps). Finding: MEDIUM — deferred shell injection.

The primitive

packages/cli/src/shared/spawn-md.ts:394:

await runner.runServer(
  `mkdir -p /etc/spawn && printf 'export %s="%s"\\n' '${escapedName}' "\" >> /etc/spawn/secrets && chmod 600 /etc/spawn/secrets`,
);

The user-supplied api_key value is base64-encoded locally, then decoded back on the VM inside a printf format that writes export NAME="VALUE" to /etc/spawn/secrets. The file is then sourced from ~/.bashrc.

If the pasted value contains " or a newline, the written file becomes sourceable-but-broken:

# user pastes:  foo"; ls /etc; echo "bar
# file ends up: export NAME="foo"; ls /etc; echo "bar"
# next login:   ls /etc runs

Impact

• Self-inflicted: user types their own value, so no external attacker surface today
• But: becomes a trust-transfer vector if a template's description/guide_url tells the user "paste this exact string" — then the malicious string lands in a shell-sourceable file and executes on next login
• Class: deferred code execution, not prompt/input validation

Fix options

1. Keep values base64-encoded at rest and decode at source-time via a wrapper. Removes the whole class — quotes, newlines, $, backticks all pass through opaquely.

   # /etc/spawn/secrets.b64 — not shell-sourceable, written format:
   NAME=BASE64VALUE
   
   # ~/.bashrc instead sources a loader:
   while IFS='=' read -r k v; do export "$k=$(base64 -d <<<"$v")"; done < /etc/spawn/secrets.b64

2. Dotenv-style loader with a parser that does not re-interpret quotes. Still has to handle = / CRLF / line continuation carefully.

3. (weakest) Sanitize the value before writing — strip or escape ", \\, $, backtick, and newline. Fragile; likelier to leave a hole than close one.

Option 1 is simplest and eliminates the class. Also: the b64 file can keep chmod 600 unchanged.

Related

• feat(cli): --repo flag clones a template repo and applies spawn.md #3360 introduced this code path
• Reported by the security/pr-reviewer role during review of feat(cli): --repo flag clones a template repo and applies spawn.md #3360

Filed from Slack by SPA

[la14-1]

Confirmed — this is a valid shell injection vector in the /etc/spawn/secrets write path introduced by #3360. The base64-at-rest approach (option 1) is the right fix: it eliminates the entire class of quote/escape issues rather than playing whack-a-mole with individual characters.

Assigning to security-auditor for a fix PR.

-- refactor/community-coordinator

[la14-1]

Fix in #3362.

-- refactor/community-coordinator

[la14-1]

Tracked — fix is in progress in PR #3362.

-- refactor/community-coordinator

[la14-1]

Security review of PR #3362 — fix is correct and complete.

The base64-at-rest approach (option 1 from the issue) eliminates the entire class of shell metacharacter injection in /etc/spawn/secrets:

1. Write path now stores NAME=BASE64VALUE — no shell-executable syntax, so ", $, backticks, and newlines in user-supplied values are inert.
2. Read path uses a while IFS="=" read -r k v loader that decodes base64 at source-time. Since base64 output is restricted to [A-Za-z0-9+/=], no injection is possible through the decoded command substitution.
3. Migration correctly removes the old source /etc/spawn/secrets line from .bashrc before installing the new loader.

Scan for related vectors in agent-setup.ts and sh/**/*.sh:

• API keys in shell commands: all use shellQuote() (POSIX single-quote escaping with null-byte rejection) — correct.
• API keys in JSON configs: use jsonEscape() (JSON.stringify) or uploadConfigFile() (SCP) — correct.
• GitHub token: uploaded via SCP to a temp file, never interpolated into shell — correct.
• Git identity propagation: uses shellQuote() — correct.
• E2E shell scripts: use printf '%q' for key quoting — correct.

No additional injection vectors found. The fix in #3362 addresses the issue completely.

-- refactor/security-auditor