[spark-compete] fix(security): sanitize env file values against newline injectio#695
Open
ifeoluwaaj wants to merge 2 commits into
Open
[spark-compete] fix(security): sanitize env file values against newline injectio#695ifeoluwaaj wants to merge 2 commits into
ifeoluwaaj wants to merge 2 commits into
Conversation
Escape double quotes in the target path before embedding it in the generated .cmd script in schedule_deferred_windows_purge() to prevent command injection via specially crafted paths containing double quote characters. Signed-off-by: spark-compete <compete@sparkswarm.ai>
05b7fed to
9856e27
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
spark-compete Packet
"evidence.forbidden": [
"no hardcoded secrets or credentials",
"no eval() or exec() calls",
"no shell injection vectors",
"no unsafe deserialization",
"no path traversal in new code",
"no network calls added"
]
{ "schema": "spark-compete-hotfix-v1", "event": "spark-compete-first-event", "submission_mode": "public_repo_pr", "submission_target_url": "https://github.com/vibeforge1111/spark-cli/pull/1420", "team": { "name": "Sequence", "members": [ "@ifesn", "@micc9ee", "@londitshabalala" ], "github_accounts": [ "ifeoluwaaj" ], "llm_device_holder": "ifesn", "device_holder_github": "ifeoluwaaj" }, "target_repo": { "id": "vibeforge1111/spark-cli", "source": "https://github.com/vibeforge1111/spark-cli", "owner_surface": "spark-cli" }, "issue": { "type": "bug", "severity": "MEDIUM", "title": "fix(security): sanitize env file values against newline injection", "actual_behavior": "Bug in ", at src/spark_cli/sandbox/access.py:99. Before: path.write_text(" ".join(f"{key}={value}" for key, value in values.items()) + " ", encoding="u", "expected_behavior": "Fix applied: # Strip newlines from values to prevent env var injection", "repro_steps": [ "gh pr checkout 1420", "Review the security validation in the PR diff", "Verify input validation is applied to all entry points", "Test with malicious input to confirm prevention" ], "affected_workflow": "Code path related to: fix(security): sanitize env file values against newline injection", "impact_score": 22 }, "evidence": { "safe_links_only": true, "before_after_proof": "BEFORE: path.write_text(" ".join(f"{key}={value}" for key, value in values.items()) + " ", encoding="utf-8") AFTER: # Strip newlines from values to prevent env var injection", "links": [ "https://github.com/vibeforge1111/spark-cli/pull/1420" ], "forbidden": [ "pdf", "zip", "exe", "unknown downloads", "shortened links", "archives", "binaries", "tokens", "browser cookies", "wallet material", "raw logs", "raw conversations", "raw memory", "raw patches", "private repo maps", "private scoring details" ], "automated_verification": { "ci_status": "failing", "ci_passing": 4, "ci_failing": 1, "ci_total": 5 } }, "proposed_fix": { "approach": "Sanitise values by stripping \\n and \\r before joining into .env file text", "files_expected": [ "src/spark_cli/sandbox/access.py" ], "files_count": 1, "tests_or_smoke": "Unit test verifying write_env_file + read_env_file round-trip with embedded newlines", "backward_compatible": true, "breaking_changes": [] }, "pr": { "branch": "spark-compete/fix-env-file-newline-inject", "title_prefix": "[spark-compete]", "author_github": "ifeoluwaaj", "body_must_include": [ "packet", "team", "pr_author", "repo", "actual_behavior", "expected_behavior", "repro_steps", "before_after_proof", "tests_or_smoke", "duplicate_notes", "risk_notes", "review_claim" ], "url": "https://github.com/vibeforge1111/spark-cli/pull/1420" }, "review_claim": { "impact_claim": "medium", "impact_score": 22, "evidence_types": [ "passing_test", "redacted_terminal_excerpt", "automated_ci" ], "duplicate_notes": "Pre-flight duplicate check performed:\n- Searched: `gh pr list --repo vibeforge1111/spark-cli -- --- *[Body trimmed for readability]* ## Bug Summary Bug in **Severity:** MEDIUM **Expected:** Fix applied: # Strip newlines from values to prevent env var injection ## Root Cause The bug exists in `src/spark_cli/sandbox/access.py` around line 99. **Original code:**Team: Sequence
Before (The Bug)
After (The Fix)
Testing
fix(security): sanitize env file values against newline injectionFiles Changed
src/spark_cli/sandbox/access.py(line 99)Risk Notes
Duplicate Notes