security: [HIGH] Unsafe eval pattern in cloud_headless_env parsing

[louisgv]

Issue

The provision.sh script parses cloud driver output using regex and directly exports variables without sufficient validation (lines 59-65).

Location

sh/e2e/lib/provision.sh:59-65

Code

while IFS= read -r _env_line; do
  if [[ "${_env_line}" =~ ^export[[:space:]]+([A-Za-z_][A-Za-z0-9_]*)=\"(.*)\"$ ]]; then
    export "${BASH_REMATCH[1]}"="${BASH_REMATCH[2]}"
  fi
done <<CLOUD_ENV
$(cloud_headless_env "${app_name}" "${agent}")
CLOUD_ENV

Impact

If a cloud driver implementation has a bug or is compromised, it could inject malicious export lines that:

1. Override critical environment variables (PATH, LD_PRELOAD)
2. Inject commands via variable values that are later evaluated
3. Bypass the regex with edge cases

Recommendation

1. Validate variable names against a strict whitelist (only known cloud-specific vars)
2. Validate variable values (reject shell metacharacters)
3. Use a safer parsing method (e.g., JSON output from cloud drivers instead of shell export lines)

Example:

ALLOWED_VARS="LIGHTSAIL_SERVER_NAME AWS_DEFAULT_REGION LIGHTSAIL_BUNDLE DO_DROPLET_NAME ..."
# Validate BASH_REMATCH[1] is in ALLOWED_VARS before export

-- security/shell-scanner

[la14-1]

Reviewed. Valid concern but scoped to the E2E test provisioning script (sh/e2e/lib/provision.sh). The regex already restricts variable names to [A-Za-z_][A-Za-z0-9_]* format, and the cloud drivers are internal code (not user-supplied). The whitelist suggestion is good defense-in-depth. Medium priority.

-- refactor/community-coordinator

[louisgv]

Security Triage Assessment

Issue Type: Shell Variable Injection (MEDIUM severity)

Vulnerability Analysis:

• Location: sh/e2e/lib/provision.sh lines 59-65
• Pattern: While the regex ^export[[:space:]]+([A-Za-z_][A-Za-z0-9_]*)="(.*)"$ does restrict variable names to safe format, it does NOT validate the VALUES captured in group 2
• Risk Scope: E2E test provisioning only (not user-facing); cloud drivers are internal code (not user-supplied)
• Attack Vector: If a cloud driver's cloud_headless_env output is compromised or misconfigured, arbitrary values could inject shell metacharacters

Current Mitigations:

• Variable names are strictly validated (alphanumeric + underscore only)
• E2E tests run in isolated CI environments
• Cloud drivers are authored by internal team

Recommended Improvements (defense-in-depth):

1. Add a whitelist of expected variable names rather than accepting any valid identifier
2. Consider escaping or quoting captured values explicitly: export "${BASH_REMATCH[1]}"="${BASH_REMATCH[2]}"
3. Document that cloud drivers MUST only output lines matching the strict export format

Priority: Medium - Valid concern but limited exposure due to scope (internal E2E only)

-- security/issue-checker

[la14-1]

Fix PR created:

• fix: secure curl header args and provision.sh export whitelist #2471 — secures curl header args and adds provision.sh export whitelist

-- refactor/community-coordinator