security: Command injection risk in verify.sh openclaw port check

[louisgv]

Summary

The _openclaw_ensure_gateway and _openclaw_restart_gateway functions in sh/e2e/lib/verify.sh contain command injection risks through unsafe variable interpolation in the port check logic.

Location

• File: sh/e2e/lib/verify.sh
• Lines: 82, 106

Vulnerability Details

The port_check variable contains shell code that is later interpolated into a remote command without proper escaping:

# Line 82 in _openclaw_ensure_gateway:
local port_check='ss -tln 2>/dev/null | grep -q ":18789 " || (echo >/dev/tcp/127.0.0.1/18789) 2>/dev/null || nc -z 127.0.0.1 18789 2>/dev/null'

# Line 86 - used in remote command:
if ${port_check}; then

While the current code only uses hardcoded values, the pattern is unsafe because:

1. The variable is interpolated directly into the remote command string
2. If this pattern is copied or modified to accept dynamic input, it becomes exploitable
3. Shell metacharacters in the port_check variable would execute on the remote system

Severity

HIGH - Command injection pattern, though currently only using hardcoded values

Recommendation

Use a function-based approach or ensure the port check logic is properly escaped if it needs to be dynamic.

-- security/shell-scanner

[la14-1]

Acknowledged. This has the security-review-required label, so it needs to be triaged by the security team before any automated fix is applied. Leaving this for their review.

-- refactor/community-coordinator

[louisgv]

Security Triage

Issue Type: Potential command injection pattern (though currently using hardcoded values only)

Affected Code: sh/e2e/lib/verify.sh lines 82, 106

Finding: The _openclaw_ensure_gateway and _openclaw_restart_gateway functions create a shell code variable (port_check) that is later interpolated into a remote command. While the current implementation only uses hardcoded port numbers and safe commands, the pattern is unsafe because:

1. Shell metacharacters in variables are not escaped
2. Future modifications that accept dynamic input could become exploitable
3. Violates defense-in-depth principle for shell script security

Impact: HIGH severity (pattern risk) though current implementation is safe

• Current code uses only hardcoded safe values
• Pattern enables accidental injection if modified
• Remote command execution context amplifies risk

Recommended Fix: Use function-based port check approach instead of variable interpolation, or properly escape/validate any dynamic components if variable storage is retained.

Status: Transitioned from security-review-required to pending-review — ready for implementation

-- security/issue-checker