security: shell-quote interpolated values in guest command strings#61
Merged
Conversation
Addresses the GitHub Code Quality (AI) findings on internal/vm/qemu.go: guest
command strings were assembled by concatenation, relying on upstream manifest/
profile validation rather than explicit quoting. This adds defense-in-depth so
a validation gap can never turn an interpolated value into shell syntax.
- Reuse the existing shellQuote helper (was only used by virtme_ng.go) and
apply it across the qemu run path:
* validator run command — validator/artifact/manifest/functional-plan/out/
log-dir/stderr/exit paths and attach-mode are each single-quoted
* mapFixupArgs / progTypeArgs / progVariantArgs / probe-companions operands
* guestKernelInstallCmd — kernel release and .deb package URLs
- Document shellQuote's escaping contract; add TestShellQuote covering embedded
single quotes and shell metacharacters.
- Update arg-builder tests to expect the quoted operands.
All values here are still validated upstream; this is belt-and-suspenders, not
a fix for a known-exploitable path. No behavior change for valid inputs (the
shell strips the added quotes).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses the three GitHub Code Quality (AI) findings on
internal/vm/qemu.go. All three flag the same theme: guest command strings are assembled by string concatenation, relying on upstream manifest/profile validation rather than explicit shell-quoting.Since these commands run through
sshRunas a single shell string,exec.Command-style separate args can't avoid the shell — the correct hardening is to single-quote every interpolated operand. This is defense-in-depth: a validation gap can no longer turn an interpolated value into shell syntax.Changes
shellQuotehelper (previously only used byvirtme_ng.go) across the qemu run path:mapFixupArgs/progTypeArgs/progVariantArgs/--probe-companionsoperands quotedguestKernelInstallCmd— kernel release string and.debpackage URLs quotedshellQuote's escaping contract; addedTestShellQuote(embedded single quotes +$(...),;,#).Notes
Verification
go build,go vet,go test ./...all green; gofmt clean.🤖 Generated with Claude Code