From 3978ff6d4d4512b25a06b9ff297ddee20793f4e7 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Tue, 10 Mar 2026 12:28:00 -0700
Subject: [PATCH] fix: apply validateLaunchCmd to manifest fallback path in
 connect.ts (#2455)

Security: the manifest-derived fallback path in connect.ts bypassed the
validateLaunchCmd() allowlist that guards history-derived commands. A
malicious or modified manifest.json cache could inject arbitrary commands
executed on the remote VM via SSH.

Fixes #2453

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 packages/cli/src/commands/connect.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/cli/src/commands/connect.ts b/packages/cli/src/commands/connect.ts
index 9bee031b..3e4ea1eb 100644
--- a/packages/cli/src/commands/connect.ts
+++ b/packages/cli/src/commands/connect.ts
@@ -138,6 +138,7 @@ export async function cmdEnterAgent(
       const sep = acc.trimEnd().endsWith("&") ? " " : "; ";
       return acc + sep + part;
     }, "");
+    validateLaunchCmd(remoteCmd);
   }
 
   const agentName = agentDef?.name || agentKey;