From 7cc21e4111ee5a73acfe56a2fedf4c9bb6b4ac68 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Mon, 2 Mar 2026 13:47:39 -0800
Subject: [PATCH] fix(security): quote timeout var and validate numeric in
 sprite.sh (#2120)

Fixes unquoted ${timeout} in _sprite_exec_long that could allow
command injection if timeout contained shell metacharacters.
Adds numeric validation before use.

Fixes #2117

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 sh/e2e/lib/clouds/sprite.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sh/e2e/lib/clouds/sprite.sh b/sh/e2e/lib/clouds/sprite.sh
index a9d4403f..dd80d1bf 100644
--- a/sh/e2e/lib/clouds/sprite.sh
+++ b/sh/e2e/lib/clouds/sprite.sh
@@ -205,6 +205,13 @@ _sprite_exec_long() {
   local app="$1"
   local cmd="$2"
   local timeout="${3:-120}"
+
+  # Validate timeout is numeric to prevent command injection
+  if ! printf '%s' "${timeout}" | grep -qE '^[0-9]+$'; then
+    printf 'ERROR: timeout must be numeric, got: %s\n' "${timeout}" >&2
+    return 1
+  fi
+
   local _attempt=0
   local _max=3
   local _stderr_tmp="/tmp/sprite-execl-err.$$"
@@ -216,7 +223,7 @@ _sprite_exec_long() {
   while [ "${_attempt}" -lt "${_max}" ]; do
     _sprite_fix_config
     # shellcheck disable=SC2046
-    sprite $(_sprite_org_flags) exec -s "${app}" -- bash -c "timeout ${timeout} bash -c \"\$(printf '%s' '${encoded_cmd}' | base64 -d)\"" 2>"${_stderr_tmp}"
+    sprite $(_sprite_org_flags) exec -s "${app}" -- bash -c "timeout '${timeout}' bash -c \"\$(printf '%s' '${encoded_cmd}' | base64 -d)\"" 2>"${_stderr_tmp}"
     local _rc=$?
     if [ "${_rc}" -eq 0 ]; then
       rm -f "${_stderr_tmp}"