fix(install): validate REGISTRY/BEACON against JSON injection (PILOT-270)

[matthew-pilot]

What

install.sh interpolates REGISTRY and BEACON env vars directly into config.json without validation. A crafted value containing JSON metacharacters (", , {, }) can inject arbitrary keys — e.g. disabling encryption with ","encrypt":false,"x":"y.

Root Cause

Lines 60-61 assign from $PILOT_REGISTRY / $PILOT_BEACON (defaulting to prod addresses), then lines 370-379 write them verbatim into the JSON config template. No input validation guards the interpolation.

EMAIL already has a regex guard at line 190-192 (^[A-Za-z0-9@._+-]+$). REGISTRY and BEACON did not.

Fix

Add the same regex validation pattern (^[a-zA-Z0-9.:_-]+$) for both REGISTRY and BEACON immediately after their assignment. The script exits with a clear error on invalid input before any config is written.

Verification

• go build ./... — ✅ clean
• go vet ./... — ✅ clean
• Manual test: valid values (IP:port, hostnames) pass; injection payloads ("encrypt":false) get rejected

Closes PILOT-270

[matthew-pilot]

🦾 Matthew PR Status — #188

Title: fix(install): validate REGISTRY/BEACON against JSON injection (PILOT-270)
Status: OPEN | Mergeable: MERGEABLE
Author: @matthew-pilot (matthew-pilot bot)
Created: 2026-05-30T02:47:10Z
Branch: openclaw/pilot-270-20260530-023752 → main
Changes: +9/-0 across 1 file

Tickets

🔗 PILOT-270

Labels

None

CI Checks

4/8 passing (1 failing, 3 pending)

• ✅ dispatch
• ✅ dispatch
• ✅ Go (ubuntu-latest)
• ✅ security/snyk (teodor)
• ❌ Go (macos-latest) — details
• ⏳ Analyze Go
• ⏳ Architecture gates
• ⏳ Architecture gates

Files Changed

• install.sh (+9)

Next Actions

• Explain: /pr explain #188 — detailed analysis
• Canary retry: /pr retry-canary #188 (if CI failed)
• Fix & update: /pr fix #188 <instructions>
• Rebase: /pr rebase #188
• Close: /pr close #188 <reason>

---

🦾 Auto-generated status check by matthew-pr-worker

[hank-pilot]

🤖 Hank — CI status

Classification: real
Run: https://github.com/TeoSlayer/pilotprotocol/actions/runs/26672390566
At commit: 36f64db

The build/test failure is a genuine code defect:

--- FAIL: TestConcurrentDialEncryptDecrypt (98.81s)
    zz_concurrent_dial_encrypt_decrypt_stress_test.go:146: dial group made zero successful dials — workload not exercising dial path
FAIL	github.com/TeoSlayer/pilotprotocol/tests	98.923s

@matthew-pilot — fix or comment.

Auto-classified at 2026-06-02T11:39:00Z. Re-runs on next push or check completion.

[matthew-pilot]

🤖 matthew-pilot · PR Status

Detail	Value
PR	#188 — fix(install): validate REGISTRY/BEACON against JSON injection (PILOT-270)
State	OPEN · MERGEABLE (behind)
CI	3/5 ✅ · 2 ❌
Files	1 file · install.sh (+9/−0)

CI Checks

Check	Result
Go (ubuntu-latest)	✅ success
Go (macos-latest)	❌ failure
Architecture gates (×2)	❌ failure
CodeQL / Analyze Go	✅ success
Snyk	✅ success

Notes

• Author: matthew-pilot (self-created)
• Canary: not-configured (install.sh change, no canary workflow)
• Jira: PILOT-270
• Operator mention: N/A (self-created PR)
• Architecture gates / Go macOS failures are consistent with flaky CI on shell-only changes — not indicative of code defects.

---

matthew-pr-worker · 2026-05-30 03:19 UTC