From 24e393817f4fdbd941f405311d22bee1ad487bcd Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Sun, 8 Mar 2026 07:43:28 -0700
Subject: [PATCH] fix: harden env var parsing and pkill patterns in
 provision.sh (#2342)

- Block dangerous system env vars (PATH, LD_PRELOAD, etc.) before export
- Add explicit alphanumeric validation on env var names
- Validate app_name is non-empty and safe before pkill -f
- Tighten pkill regex from "sprite.*exec.*" to "sprite exec.*"

Fixes #2330 #2332

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 sh/e2e/lib/provision.sh | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/sh/e2e/lib/provision.sh b/sh/e2e/lib/provision.sh
index 4abccb1c..b3ab86a2 100644
--- a/sh/e2e/lib/provision.sh
+++ b/sh/e2e/lib/provision.sh
@@ -69,7 +69,19 @@ provision_agent() {
       if [ -z "${_env_name}" ]; then
         continue
       fi
-      # Validate value against a safe character whitelist
+      # Block dangerous system env vars that could enable privilege escalation
+      case "${_env_name}" in
+        PATH|LD_PRELOAD|LD_LIBRARY_PATH|HOME|SHELL|USER|IFS|ENV|BASH_ENV|CDPATH)
+          log_err "Blocked dangerous env var: ${_env_name}"
+          continue
+          ;;
+      esac
+      # Validate env var name matches strict alphanumeric pattern
+      if ! printf '%s' "${_env_name}" | grep -qE '^[A-Za-z_][A-Za-z0-9_]*$'; then
+        log_err "Invalid env var name: ${_env_name}"
+        continue
+      fi
+      # Validate value against a safe character whitelist BEFORE export
       if printf '%s' "${_env_val}" | grep -qE '[^A-Za-z0-9@%+=:,./_-]'; then
         log_err "Invalid characters in env value for ${_env_name}"
         continue
@@ -104,8 +116,12 @@ CLOUD_ENV
     pkill -P "${pid}" 2>/dev/null || true
     kill "${pid}" 2>/dev/null || true
     wait "${pid}" 2>/dev/null || true
-    # Also kill any lingering sprite exec processes for this specific app
-    pkill -f "sprite.*exec.*${app_name}" 2>/dev/null || true
+    # Also kill any lingering sprite exec processes for this specific app.
+    # Validate app_name is non-empty and contains only safe characters to
+    # prevent overly broad pkill -f patterns from killing unrelated processes.
+    if [ -n "${app_name}" ] && printf '%s' "${app_name}" | grep -qE '^[A-Za-z0-9._-]+$'; then
+      pkill -f "sprite exec.*${app_name}" 2>/dev/null || true
+    fi
     sleep 1
   fi