[spark-compete] fix(security): add -- separator before prompt in codex/claude CL#782
Open
ifeoluwaaj wants to merge 2 commits into
Open
[spark-compete] fix(security): add -- separator before prompt in codex/claude CL#782ifeoluwaaj wants to merge 2 commits into
ifeoluwaaj wants to merge 2 commits into
Conversation
Escape double quotes in the target path before embedding it in the generated .cmd script in schedule_deferred_windows_purge() to prevent command injection via specially crafted paths containing double quote characters. Signed-off-by: spark-compete <compete@sparkswarm.ai>
57a354c to
9856e27
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
spark-compete Packet
"evidence.forbidden": [
"no hardcoded secrets or credentials",
"no eval() or exec() calls",
"no shell injection vectors",
"no unsafe deserialization",
"no path traversal in new code",
"no network calls added"
]
{ "schema": "spark-compete-hotfix-v1", "event": "spark-compete-first-event", "submission_mode": "public_repo_pr", "submission_target_url": "https://github.com/vibeforge1111/spark-cli/pull/1363", "team": { "name": "Sequence", "members": [ "@ifesn", "@micc9ee", "@londitshabalala" ], "github_accounts": [ "ifeoluwaaj" ], "llm_device_holder": "ifesn", "device_holder_github": "ifeoluwaaj" }, "target_repo": { "id": "vibeforge1111/spark-cli", "source": "https://github.com/vibeforge1111/spark-cli", "owner_surface": "spark-cli" }, "issue": { "type": "bug", "severity": "MEDIUM", "title": "fix(security): add -- separator before prompt in codex/claude CLI to prevent argument injection", "actual_behavior": "Bug in ", at src/spark_cli/cli.py:10809", "expected_behavior": "Fix applied: # Use -- separator to prevent prompt text from being interpreted as flags", "repro_steps": [ "gh pr checkout 1363", "Review the security validation in the PR diff", "Verify input validation is applied to all entry points", "Test with malicious input to confirm prevention" ], "affected_workflow": "Code path related to: fix(security): add -- separator before prompt in codex/claude CLI to prevent argument injection", "impact_score": 22 }, "evidence": { "safe_links_only": true, "before_after_proof": "BEFORE: Original code AFTER: # Use -- separator to prevent prompt text from being interpreted as flags", "links": [ "https://github.com/vibeforge1111/spark-cli/pull/1363" ], "forbidden": [ "pdf", "zip", "exe", "unknown downloads", "shortened links", "archives", "binaries", "tokens", "browser cookies", "wallet material", "raw logs", "raw conversations", "raw memory", "raw patches", "private repo maps", "private scoring details" ], "automated_verification": { "ci_status": "failing", "ci_passing": 4, "ci_failing": 1, "ci_total": 5 } }, "proposed_fix": { "approach": "Insert `command.append(\"--\")` before `command.append(prompt)` in both `codex_cli_completion()` and `claude_cli_completion()` to use the standard POSIX argument boundary convention", "files_expected": [ "src/spark_cli/cli.py" ], "files_count": 1, "tests_or_smoke": "No automated tests exist for this path. Manual verification: confirm the CLI subprocess receives `--` before the prompt in the command list.", "backward_compatible": true, "breaking_changes": [] }, "pr": { "branch": "spark-compete/fix-cli-argument-injection", "title_prefix": "[spark-compete]", "author_github": "ifeoluwaaj", "body_must_include": [ "packet", "team", "pr_author", "repo", "actual_behavior", "expected_behavior", "repro_steps", "before_after_proof", "tests_or_smoke", "duplicate_notes", "risk_notes", "review_claim" ], "url": "https://github.com/vibeforge1111/spark-cli/pull/1363" }, "review_claim": { "impact_c --- *[Body trimmed for readability]* ## Bug Summary Bug in **Severity:** MEDIUM **Expected:** Fix applied: # Use -- separator to prevent prompt text from being interpreted as flags ## Root Cause The bug exists in `src/spark_cli/cli.py` around line 10809. ## Fix Applied fix:Team: Sequence
Testing
fix(security): add -- separator before prompt in codex/claude CLI to prevent argument injectionFiles Changed
src/spark_cli/cli.py(line 10809)src/spark_cli/cli.py(line 10851)Risk Notes
Duplicate Notes