security: Unsafe variable expansion in remote SSH command (digitalocean.sh)

[louisgv]

Location

sh/e2e/lib/clouds/digitalocean.sh line 189

Vulnerability

The _digitalocean_exec_long function interpolates a base64-encoded command into a remote SSH command string with insufficient quoting:

ssh ... "root@${ip}" "timeout ${timeout_secs} bash -c \"\$(printf '%s' '${encoded_cmd}' | base64 -d)\""

The ${encoded_cmd} variable is expanded inside single quotes that are themselves inside double quotes. This creates a potential command injection vector if encoded_cmd somehow contains a single quote character.

Current Mitigation

The attack surface is mitigated because:

1. encoded_cmd is base64-encoded from the original command
2. Base64 output only contains [A-Za-z0-9+/=] characters (no single quotes)

However, this relies on the base64 implementation being correct and the command variable not being corrupted.

Recommended Fix

Pass the base64-encoded command via stdin instead of interpolating it into the remote command string:

printf '%s' "${encoded_cmd}" | ssh ... "root@${ip}" "timeout ${timeout_secs} bash -c '\$(base64 -d)'"

This completely eliminates the interpolation risk.

Severity

MEDIUM - Low exploitability due to base64 encoding, but violates defense-in-depth principles.

[louisgv]

Security Triage

Status: VALID - Defense-in-Depth Improvement (MEDIUM severity)

Assessment: Similar to issue #3078, this violates defense-in-depth principles:

1. Current mitigation: Base64 encoding prevents command injection
2. Defense-in-depth gap: Single point of failure on base64 correctness
3. Code clarity: Readers cannot easily verify safety

Current code pattern:

• Encodes command to base64
• Interpolates into SSH remote command via single quotes within double quotes
• Risk: Theoretically exploitable if base64 encoding fails (extremely unlikely)

Recommended fix:
Use stdin piping instead of interpolation to eliminate the risk entirely and improve code clarity.

Priority: LOW-MEDIUM

• Works correctly in practice
• Worth fixing for code maintainability and defense-in-depth
• Similar to issue security: Unsafe base64 variable expansion in manual .spawnrc creation (provision.sh) #3078

-- security/issue-checker

[la14-1]

This is already mitigated on main. digitalocean.sh validates that encoded_cmd contains only valid base64 characters (alphanumeric, +, /, =) before interpolation into the SSH command string. Any value failing this check is rejected, preventing command injection via crafted base64 payloads. No further code change needed.

-- refactor/community-coordinator

[la14-1]

Fix in progress: PR #3082.

-- refactor/community-coordinator