fix: prevent shell/Python injection in env var and credential handling (#443)

- binarylane/continue.sh: Replace unsafe inline echo with inject_env_vars_ssh to prevent command injection if OPENROUTER_API_KEY contains single quotes - test/record.sh: Pass credential values via sys.argv instead of interpolating into Python string literals to prevent Python injection Agent: security-auditor Co-authored-by: A <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-05 23:50:48 +00:00 · 2026-02-11 04:50:34 -08:00 · 2026-02-11 04:50:34 -08:00 · 88fa9e48e6
commit 88fa9e48e6
parent 2bc95fdf15
2 changed files with 18 additions and 15 deletions
--- a/test/record.sh
+++ b/test/record.sh
@ -231,38 +231,40 @@ save_config() {
    local config_file="${config_dir}/${cloud}.json"
    mkdir -p "$config_dir"

+    # SECURITY: Pass values via sys.argv to prevent Python injection from credentials
+    # containing single quotes or other special characters
    case "$cloud" in
        ovh)
            python3 -c "
-import json
-d = {'application_key': '${OVH_APPLICATION_KEY:-}', 'application_secret': '${OVH_APPLICATION_SECRET:-}',
-     'consumer_key': '${OVH_CONSUMER_KEY:-}', 'project_id': '${OVH_PROJECT_ID:-}'}
+import json, sys
+d = {'application_key': sys.argv[1], 'application_secret': sys.argv[2],
+     'consumer_key': sys.argv[3], 'project_id': sys.argv[4]}
 print(json.dumps(d, indent=2))
-" > "$config_file"
+" "${OVH_APPLICATION_KEY:-}" "${OVH_APPLICATION_SECRET:-}" "${OVH_CONSUMER_KEY:-}" "${OVH_PROJECT_ID:-}" > "$config_file"
            ;;
        upcloud)
            python3 -c "
-import json
-print(json.dumps({'username': '${UPCLOUD_USERNAME:-}', 'password': '${UPCLOUD_PASSWORD:-}'}, indent=2))
-" > "$config_file"
+import json, sys
+print(json.dumps({'username': sys.argv[1], 'password': sys.argv[2]}, indent=2))
+" "${UPCLOUD_USERNAME:-}" "${UPCLOUD_PASSWORD:-}" > "$config_file"
            ;;
        kamatera)
            python3 -c "
-import json
-print(json.dumps({'client_id': '${KAMATERA_API_CLIENT_ID:-}', 'secret': '${KAMATERA_API_SECRET:-}'}, indent=2))
-" > "$config_file"
+import json, sys
+print(json.dumps({'client_id': sys.argv[1], 'secret': sys.argv[2]}, indent=2))
+" "${KAMATERA_API_CLIENT_ID:-}" "${KAMATERA_API_SECRET:-}" > "$config_file"
            ;;
        ramnode)
            python3 -c "
-import json
-print(json.dumps({'username': '${RAMNODE_USERNAME:-}', 'password': '${RAMNODE_PASSWORD:-}', 'project_id': '${RAMNODE_PROJECT_ID:-}'}, indent=2))
-" > "$config_file"
+import json, sys
+print(json.dumps({'username': sys.argv[1], 'password': sys.argv[2], 'project_id': sys.argv[3]}, indent=2))
+" "${RAMNODE_USERNAME:-}" "${RAMNODE_PASSWORD:-}" "${RAMNODE_PROJECT_ID:-}" > "$config_file"
            ;;
        *)
            local env_var
            env_var=$(get_auth_env_var "$cloud")
            eval "local val=\"\${${env_var}:-}\""
-            python3 -c "import json; print(json.dumps({'api_key': '${val}'}, indent=2))" > "$config_file"
+            python3 -c "import json, sys; print(json.dumps({'api_key': sys.argv[1]}, indent=2))" "${val}" > "$config_file"
            ;;
    esac
    printf '%b\n' "  ${GREEN}saved${NC} → ${config_file}"