From fdf7a675b3f24be224edb7621e2fcf0d82b87ad6 Mon Sep 17 00:00:00 2001 From: A <258483684+la14-1@users.noreply.github.com> Date: Wed, 18 Feb 2026 20:20:27 -0800 Subject: [PATCH] security: validate GCP username before su to prevent command injection (#1451) Fixes command injection vulnerability in cloud-init where unquoted $(logname 2>/dev/null || echo "$USER") could allow shell metacharacters to be interpreted with root privileges. Fixes #1450 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 --- gcp/lib/common.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/gcp/lib/common.sh b/gcp/lib/common.sh index 9fa88a2d..2714a034 100644 --- a/gcp/lib/common.sh +++ b/gcp/lib/common.sh @@ -241,10 +241,14 @@ apt-get install -y curl unzip git zsh nodejs npm # Upgrade Node.js to v22 LTS (apt has v18, agents like Cline need v20+) # n installs to /usr/local/bin but apt's v18 at /usr/bin can shadow it, so symlink over npm install -g n && n 22 && ln -sf /usr/local/bin/node /usr/bin/node && ln -sf /usr/local/bin/npm /usr/bin/npm && ln -sf /usr/local/bin/npx /usr/bin/npx -# Install Bun -su - $(logname 2>/dev/null || echo "$USER") -c 'curl -fsSL https://bun.sh/install | bash' || true -# Install Claude Code -su - $(logname 2>/dev/null || echo "$USER") -c 'curl -fsSL https://claude.ai/install.sh | bash' || true +# Install Bun and Claude Code as the login user +GCP_USERNAME=$(logname 2>/dev/null || echo "${USER:-root}") +if [[ ! "$GCP_USERNAME" =~ ^[a-zA-Z0-9_-]+$ ]]; then + echo "ERROR: Invalid username detected" >&2 + exit 1 +fi +su - "$GCP_USERNAME" -c 'curl -fsSL https://bun.sh/install | bash' || true +su - "$GCP_USERNAME" -c 'curl -fsSL https://claude.ai/install.sh | bash' || true # Configure PATH for all users echo 'export PATH="${HOME}/.claude/local/bin:${HOME}/.local/bin:${HOME}/.bun/bin:${PATH}"' >> /etc/profile.d/spawn.sh chmod +x /etc/profile.d/spawn.sh