From 69d1971abffafd2a4ec045b44cf71fc59624ebdf Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Sun, 1 Mar 2026 14:10:22 -0800
Subject: [PATCH] fix(security): remove space from token validation charset in
 key-request.sh (#2074)

API tokens never contain spaces; allowing them risks word splitting
in downstream unquoted uses of these env vars. Updated both the shell
regex in key-request.sh and the corresponding TypeScript regexes in
digitalocean.ts to stay in sync.

Fixes #2072

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 packages/cli/src/digitalocean/digitalocean.ts | 4 ++--
 sh/shared/key-request.sh                      | 5 ++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/packages/cli/src/digitalocean/digitalocean.ts b/packages/cli/src/digitalocean/digitalocean.ts
index aeaf6792..597a25b9 100644
--- a/packages/cli/src/digitalocean/digitalocean.ts
+++ b/packages/cli/src/digitalocean/digitalocean.ts
@@ -202,7 +202,7 @@ function loadTokenFromConfig(): string | null {
   if (!token) {
     return null;
   }
-  if (!/^[a-zA-Z0-9._/@:+=, -]+$/.test(token)) {
+  if (!/^[a-zA-Z0-9._/@:+=-]+$/.test(token)) {
     return null;
   }
   return token;
@@ -217,7 +217,7 @@ function loadRefreshToken(): string | null {
   if (!refreshToken) {
     return null;
   }
-  if (!/^[a-zA-Z0-9._/@:+=, -]+$/.test(refreshToken)) {
+  if (!/^[a-zA-Z0-9._/@:+=-]+$/.test(refreshToken)) {
     return null;
   }
   return refreshToken;
diff --git a/sh/shared/key-request.sh b/sh/shared/key-request.sh
index a2d24671..37d20ffb 100644
--- a/sh/shared/key-request.sh
+++ b/sh/shared/key-request.sh
@@ -89,13 +89,12 @@ process.stdout.write(d[process.env._VAR] || d.api_key || d.token || '');
             # Allow alphanumeric plus safe chars needed by real tokens:
             #   - _ . / @  (standard API key chars)
             #   : + =      (base64 segments, URL-safe and base64 formats)
-            #   space       (prefixed token formats, e.g., "Bearer <token>")
             # Keep in sync with loadTokenFromConfig regex in packages/cli/src/digitalocean/digitalocean.ts
-            if [[ ! "${val}" =~ ^[a-zA-Z0-9._/@:+=\ -]+$ ]]; then
+            if [[ ! "${val}" =~ ^[a-zA-Z0-9._/@:+=-]+$ ]]; then
                 log "SECURITY: Invalid characters in config value for ${var_name}"
                 return 1
             fi
-            # SECURITY: val is already validated against ^[a-zA-Z0-9._/@:+=\ -]+$ above,
+            # SECURITY: val is already validated against ^[a-zA-Z0-9._/@:+=-]+$ above,
             # and var_name is validated against ^[A-Z_][A-Z0-9_]*$ by the caller.
             # Use export NAME=VALUE (bash 3.2 compatible; printf -v requires bash 4.0+).
             export "${var_name}=${val}"