From 8bc5581e627f5c38a02e85367c9927abb6092f59 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Sun, 8 Mar 2026 18:44:55 -0700
Subject: [PATCH] fix: validate base64 encoding before embedding in remote
 command (#2360)

Adds defense-in-depth check to reject malformed base64 output
before it is embedded in the cloud_exec remote command.

Fixes #2353

Agent: code-health

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 sh/e2e/lib/provision.sh | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/sh/e2e/lib/provision.sh b/sh/e2e/lib/provision.sh
index 57643104..9dce8037 100644
--- a/sh/e2e/lib/provision.sh
+++ b/sh/e2e/lib/provision.sh
@@ -212,10 +212,18 @@ CLOUD_ENV
       ;;
   esac
 
-  # Pipe base64-encoded credentials directly to cloud_exec via stdin.
-  # No intermediate shell variable — avoids leaking credentials to process
-  # listings, debug output, or shell traces.
-  if base64 < "${env_tmp}" | tr -d '\n' | cloud_exec "${app_name}" "base64 -d > ~/.spawnrc && chmod 600 ~/.spawnrc && \
+  # Base64-encode credentials, validate the output, then pipe to cloud_exec.
+  local env_b64
+  env_b64=$(base64 < "${env_tmp}" | tr -d '\n')
+
+  # Validate base64 output contains only safe characters (defense-in-depth)
+  if ! printf '%s' "${env_b64}" | grep -qE '^[A-Za-z0-9+/=]+$'; then
+    log_err "Invalid base64 encoding"
+    rm -f "${env_tmp}"
+    return 1
+  fi
+
+  if printf '%s' "${env_b64}" | cloud_exec "${app_name}" "base64 -d > ~/.spawnrc && chmod 600 ~/.spawnrc && \
     grep -q 'source ~/.spawnrc' ~/.bashrc 2>/dev/null || printf '%s\n' '[ -f ~/.spawnrc ] && source ~/.spawnrc' >> ~/.bashrc" >/dev/null 2>&1; then
     log_ok "Manual .spawnrc created successfully"
   else