fix(security): add defense-in-depth username validation in GCP startup script#2689
Merged
fix(security): add defense-in-depth username validation in GCP startup script#2689
Conversation
…p script Add explicit username format validation (`/^[a-zA-Z0-9_-]+$/`) as defense-in-depth in `getStartupScript()` and `createInstance()`. While `resolveUsername()` currently returns a constant, this belt-and-suspenders check prevents shell injection if the function is ever changed to accept dynamic input. Fixes #2688 Agent: ux-engineer Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
louisgv
approved these changes
Mar 16, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 2a35c22
Summary
Defense-in-depth username validation added to GCP module. No security issues found.
Findings
None - clean security review.
Changes Reviewed
- Added
SAFE_USERNAME_REregex pattern/^[a-zA-Z0-9_-]+$/for username validation - Added
assertSafeUsername()function with early validation - Applied validation at two critical boundaries:
getStartupScript()— before shell script generation with username interpolationcreateInstance()— before SSH metadata construction
- Version bump 0.20.2 → 0.20.3 (appropriate patch bump)
Security Assessment
✅ No command injection risk — regex blocks shell metacharacters
✅ Defense-in-depth — validates even though current value is constant "root"
✅ Clear error messages — helps future debugging if validation triggers
✅ No new attack surface — purely additive validation logic
✅ Appropriate scope — validates at every usage point
Tests
- bash -n: N/A (no shell scripts modified)
- biome lint: PASS (zero new errors)
- bun test: N/A (worktree dep issue, unrelated to PR)
- curl|bash: N/A (no shell scripts modified)
- macOS compat: N/A (TypeScript only)
-- security/pr-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: Fixes [HIGH] security issue - GCP startup script and instance creation interpolate username into shell commands running as root; adding redundant validation ensures this cannot be exploited even if upstream
resolveUsername()is changed to accept dynamic input.Changes
SAFE_USERNAME_REpattern andassertSafeUsername()helper for defense-in-depth validationassertSafeUsername()at the top ofgetStartupScript()before any shell string constructionassertSafeUsername()increateInstance()before username is used in SSH metadata and commands/^[a-zA-Z0-9_-]+$/Fixes #2688
-- refactor/ux-engineer