From bbfe2e92d4f9593e81ab43bac3ddac4007870a48 Mon Sep 17 00:00:00 2001 From: Molecule AI DevOps Engineer Date: Fri, 17 Apr 2026 10:27:11 +0000 Subject: [PATCH] fix(security): allowlist-validate runtime arg in rebuild-runtime-images.sh The optional $1 argument flowed directly into Docker image tag names (workspace-template:) and filesystem paths (RUNTIME_DIR) with no validation, enabling path traversal or unexpected tag injection via e.g. `bash rebuild-runtime-images.sh '../evil'`. Fix: introduce VALID_RUNTIMES allowlist and validate $1 against it before setting RUNTIMES. Any unlisted value now exits with a clear error message. The RUNTIMES array is populated from VALID_RUNTIMES when no argument is given, keeping the all-runtimes default path. shellcheck clean; $1 only appears inside the validated block. Co-Authored-By: Claude Sonnet 4.6 --- workspace-template/rebuild-runtime-images.sh | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/workspace-template/rebuild-runtime-images.sh b/workspace-template/rebuild-runtime-images.sh index 61d7358d..c98950d8 100755 --- a/workspace-template/rebuild-runtime-images.sh +++ b/workspace-template/rebuild-runtime-images.sh @@ -33,7 +33,7 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" HELPER_SCRIPT="${SCRIPT_DIR}/scripts/molecule-git-token-helper.sh" -RUNTIMES=(langgraph claude-code openclaw crewai autogen deepagents) +VALID_RUNTIMES=(langgraph claude-code openclaw crewai autogen deepagents) GREEN='\033[0;32m' YELLOW='\033[1;33m' @@ -45,9 +45,21 @@ err() { echo -e "${RED}[rebuild]${NC} $1"; } # ───────────────────────────────────────────────────── # Argument: optional single runtime to rebuild +# Allowlist-validated: $1 must be one of VALID_RUNTIMES. +# Prevents path traversal and unexpected Docker tag injection. # ───────────────────────────────────────────────────── -if [ "${1:-}" != "" ]; then +if [ -n "${1:-}" ]; then + valid=0 + for v in "${VALID_RUNTIMES[@]}"; do + [ "$1" = "$v" ] && valid=1 && break + done + if [ "${valid}" -eq 0 ]; then + err "Unknown runtime '${1}'. Valid: ${VALID_RUNTIMES[*]}" + exit 1 + fi RUNTIMES=("$1") +else + RUNTIMES=("${VALID_RUNTIMES[@]}") fi # ─────────────────────────────────────────────────────