fix: validate base64 encoding before embedding in remote command (#2360)

Adds defense-in-depth check to reject malformed base64 output before it is embedded in the cloud_exec remote command. Fixes #2353 Agent: code-health Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 03:14:57 +00:00 · 2026-03-08 18:44:55 -07:00 · 2026-03-08 18:44:55 -07:00 · 8bc5581e62
commit 8bc5581e62
parent e11918be59
1 changed files with 12 additions and 4 deletions
--- a/sh/e2e/lib/provision.sh
+++ b/sh/e2e/lib/provision.sh
@ -212,10 +212,18 @@ CLOUD_ENV
      ;;
  esac

-  # Pipe base64-encoded credentials directly to cloud_exec via stdin.
-  # No intermediate shell variable — avoids leaking credentials to process
-  # listings, debug output, or shell traces.
-  if base64 < "${env_tmp}" | tr -d '\n' | cloud_exec "${app_name}" "base64 -d > ~/.spawnrc && chmod 600 ~/.spawnrc && \
+  # Base64-encode credentials, validate the output, then pipe to cloud_exec.
+  local env_b64
+  env_b64=$(base64 < "${env_tmp}" | tr -d '\n')
+
+  # Validate base64 output contains only safe characters (defense-in-depth)
+  if ! printf '%s' "${env_b64}" | grep -qE '^[A-Za-z0-9+/=]+$'; then
+    log_err "Invalid base64 encoding"
+    rm -f "${env_tmp}"
+    return 1
+  fi
+
+  if printf '%s' "${env_b64}" | cloud_exec "${app_name}" "base64 -d > ~/.spawnrc && chmod 600 ~/.spawnrc && \
    grep -q 'source ~/.spawnrc' ~/.bashrc 2>/dev/null || printf '%s\n' '[ -f ~/.spawnrc ] && source ~/.spawnrc' >> ~/.bashrc" >/dev/null 2>&1; then
    log_ok "Manual .spawnrc created successfully"
  else