From 3e13a213f184ea2b364e72d3d80d930d832acba0 Mon Sep 17 00:00:00 2001 From: A <258483684+la14-1@users.noreply.github.com> Date: Tue, 17 Feb 2026 16:35:23 -0800 Subject: [PATCH] security: fix command injection in fly/lib/common.sh bash -c invocations (#1423) Quote $escaped_cmd inside the -C argument to bash -c in run_server() and interactive_session() to prevent word splitting. Without quotes, even though printf '%q' escapes shell metacharacters, the shell still splits the escaped command on whitespace before passing it to bash -c, enabling potential argument injection. Fixes #1422 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 --- fly/lib/common.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fly/lib/common.sh b/fly/lib/common.sh index 1e596f94..ff98f14c 100644 --- a/fly/lib/common.sh +++ b/fly/lib/common.sh @@ -372,12 +372,12 @@ run_server() { elif command -v gtimeout &>/dev/null; then timeout_bin="gtimeout" fi if [[ -n "${timeout_bin}" ]]; then - "${timeout_bin}" "${timeout_secs}" "$fly_cmd" ssh console -a "$FLY_APP_NAME" -C "bash -c $escaped_cmd" --quiet 2>/dev/null + "${timeout_bin}" "${timeout_secs}" "$fly_cmd" ssh console -a "$FLY_APP_NAME" -C "bash -c \"$escaped_cmd\"" --quiet 2>/dev/null return $? fi fi - "$fly_cmd" ssh console -a "$FLY_APP_NAME" -C "bash -c $escaped_cmd" --quiet 2>/dev/null + "$fly_cmd" ssh console -a "$FLY_APP_NAME" -C "bash -c \"$escaped_cmd\"" --quiet 2>/dev/null } # Upload a file to the machine via base64 encoding through exec @@ -405,7 +405,7 @@ interactive_session() { local escaped_cmd escaped_cmd=$(printf '%q' "$cmd") local session_exit=0 - "$(_get_fly_cmd)" ssh console -a "$FLY_APP_NAME" -C "bash -c $escaped_cmd" || session_exit=$? + "$(_get_fly_cmd)" ssh console -a "$FLY_APP_NAME" -C "bash -c \"$escaped_cmd\"" || session_exit=$? SERVER_NAME="${FLY_APP_NAME:-}" SPAWN_RECONNECT_CMD="fly ssh console -a ${FLY_APP_NAME:-}" \ _show_exec_post_session_summary return "${session_exit}"