Skip to content

security: shell-quote interpolated values in guest command strings#61

Merged
ErenAri merged 1 commit into
mainfrom
security/shell-quote-hardening
Jun 28, 2026
Merged

security: shell-quote interpolated values in guest command strings#61
ErenAri merged 1 commit into
mainfrom
security/shell-quote-hardening

Conversation

@ErenAri

@ErenAri ErenAri commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Addresses the three GitHub Code Quality (AI) findings on internal/vm/qemu.go. All three flag the same theme: guest command strings are assembled by string concatenation, relying on upstream manifest/profile validation rather than explicit shell-quoting.

Since these commands run through sshRun as a single shell string, exec.Command-style separate args can't avoid the shell — the correct hardening is to single-quote every interpolated operand. This is defense-in-depth: a validation gap can no longer turn an interpolated value into shell syntax.

Changes

  • Reuse the existing shellQuote helper (previously only used by virtme_ng.go) across the qemu run path:
    • validator run command — validator/artifact/manifest/functional-plan/out/log-dir/stderr/exit paths and attach-mode each single-quoted
    • mapFixupArgs / progTypeArgs / progVariantArgs / --probe-companions operands quoted
    • guestKernelInstallCmd — kernel release string and .deb package URLs quoted
  • Documented shellQuote's escaping contract; added TestShellQuote (embedded single quotes + $(...), ;, #).
  • Updated the arg-builder test expectations to the quoted form.

Notes

  • All values remain validated upstream — this is belt-and-suspenders, not a fix for a known-exploitable path.
  • No behavior change for valid inputs: the guest shell strips the added quotes, so the validator receives identical arguments.
  • Scope is the live VM-runner path (not the frozen runtime agent).

Verification

go build, go vet, go test ./... all green; gofmt clean.

🤖 Generated with Claude Code

Addresses the GitHub Code Quality (AI) findings on internal/vm/qemu.go: guest
command strings were assembled by concatenation, relying on upstream manifest/
profile validation rather than explicit quoting. This adds defense-in-depth so
a validation gap can never turn an interpolated value into shell syntax.

- Reuse the existing shellQuote helper (was only used by virtme_ng.go) and
  apply it across the qemu run path:
    * validator run command — validator/artifact/manifest/functional-plan/out/
      log-dir/stderr/exit paths and attach-mode are each single-quoted
    * mapFixupArgs / progTypeArgs / progVariantArgs / probe-companions operands
    * guestKernelInstallCmd — kernel release and .deb package URLs
- Document shellQuote's escaping contract; add TestShellQuote covering embedded
  single quotes and shell metacharacters.
- Update arg-builder tests to expect the quoted operands.

All values here are still validated upstream; this is belt-and-suspenders, not
a fix for a known-exploitable path. No behavior change for valid inputs (the
shell strips the added quotes).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ErenAri ErenAri merged commit 63a670e into main Jun 28, 2026
8 of 9 checks passed
@ErenAri ErenAri deleted the security/shell-quote-hardening branch June 28, 2026 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant