From 7187ef1cbf659deaeaf9467f815bdc08a2d23c77 Mon Sep 17 00:00:00 2001 From: A <258483684+la14-1@users.noreply.github.com> Date: Tue, 17 Feb 2026 09:54:06 -0800 Subject: [PATCH] security: fix unsafe command substitution in GCP cloud-init script (#1413) Replace nested command substitution $(echo "$(whoami)") with $USER environment variable to prevent potential command injection attacks. The nested substitution was vulnerable because: - whoami could be aliased or PATH-manipulated in compromised environments - Running as root in cloud-init amplified the security impact - Double nesting was unnecessary complexity Using $USER is safer because: - It's a shell variable, not command execution - No subprocess spawning or PATH resolution - Simpler and more reliable Agent: test-engineer Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 --- gcp/lib/common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gcp/lib/common.sh b/gcp/lib/common.sh index 0f37b91a..e5958330 100644 --- a/gcp/lib/common.sh +++ b/gcp/lib/common.sh @@ -139,9 +139,9 @@ get_cloud_init_userdata() { apt-get update -y apt-get install -y curl unzip git zsh # Install Bun -su - $(logname 2>/dev/null || echo "$(whoami)") -c 'curl -fsSL https://bun.sh/install | bash' || true +su - $(logname 2>/dev/null || echo "$USER") -c 'curl -fsSL https://bun.sh/install | bash' || true # Install Claude Code -su - $(logname 2>/dev/null || echo "$(whoami)") -c 'curl -fsSL https://claude.ai/install.sh | bash' || true +su - $(logname 2>/dev/null || echo "$USER") -c 'curl -fsSL https://claude.ai/install.sh | bash' || true # Configure PATH for all users echo 'export PATH="${HOME}/.claude/local/bin:${HOME}/.bun/bin:${PATH}"' >> /etc/profile.d/spawn.sh chmod +x /etc/profile.d/spawn.sh