fix(scripts): use json.dumps for SSM params JSON (CWE-78 / OFFSEC-001) #737

core-devops · 2026-05-12T15:26:18Z

core-devops commented

2026-05-12 15:26:18 +00:00

Summary

Fixes ssm_refresh_ecr_auth() in scripts/promote-tenant-image.sh which built the AWS SSM send-command --parameters JSON via shell printf with unquoted %s interpolation of $REGION and $ACCOUNT_ID. Replaced with python3 -c using json.dumps for proper JSON string escaping (CWE-78 / OFFSEC-001 defense-in-depth).

Also adds Test 12 to scripts/test-promote-tenant-image.sh covering:

Normal region + account (baseline valid JSON)
Region with JSON-special chars (quote injection → still valid JSON)
Account with quote injection → still valid JSON
No double-encoding of region in command string

Test plan

bash scripts/test-promote-tenant-image.sh
# Expected: All 44 tests passed

Closes: core#676

## Summary Fixes `ssm_refresh_ecr_auth()` in `scripts/promote-tenant-image.sh` which built the AWS SSM send-command `--parameters` JSON via shell `printf` with unquoted `%s` interpolation of `$REGION` and `$ACCOUNT_ID`. Replaced with `python3 -c` using `json.dumps` for proper JSON string escaping (CWE-78 / OFFSEC-001 defense-in-depth). Also adds **Test 12** to `scripts/test-promote-tenant-image.sh` covering: - Normal region + account (baseline valid JSON) - Region with JSON-special chars (quote injection → still valid JSON) - Account with quote injection → still valid JSON - No double-encoding of region in command string ## Test plan ```bash bash scripts/test-promote-tenant-image.sh # Expected: All 44 tests passed ``` Closes: core#676

core-devops added 1 commit 2026-05-12 15:26:18 +00:00

fix(scripts): use json.dumps for SSM params JSON (CWE-78 / OFFSEC-001)

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 10s

Details

sop-checklist / all-items-acked (pull_request) acked: 0/7 — missing: comprehensive-testing, local-postgres-e2e, staging-smoke, +4 — body-unfilled: 7

Details

sop-checklist-gate / gate (pull_request) Successful in 14s

Details

qa-review / approved (pull_request) Failing after 15s

Details

CI / Detect changes (pull_request) Successful in 19s

Details

security-review / approved (pull_request) Failing after 15s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 19s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 19s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 21s

Details

gate-check-v3 / gate-check (pull_request) Successful in 17s

Details

Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 21s

Details

sop-tier-check / tier-check (pull_request) Successful in 10s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s

Details

CI / Platform (Go) (pull_request) Successful in 4s

Details

CI / Canvas (Next.js) (pull_request) Successful in 4s

Details

CI / Python Lint & Test (pull_request) Successful in 3s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4s

Details

Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 8s

Details

CI / all-required (pull_request) Successful in 0s

Details

Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 38s

Details

lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 59s

Details

audit-force-merge / audit (pull_request) Successful in 8s

Details

b544028e93

ssm_refresh_ecr_auth() built the AWS SSM send-command --parameters JSON
via shell printf with unquoted %s interpolation of $REGION and $ACCOUNT_ID.
While ECR account IDs are numeric and AWS region names are constrained,
proper JSON construction requires json.dumps to guarantee valid JSON output
regardless of field content (CWE-78 / OFFSEC-001 defense-in-depth).

Fix: replace printf with python3 -c using json.dumps for each interpolated
field, then embed the properly-escaped string in the commands array.

Adds Test 12: ssm_refresh_ecr_auth JSON escaping covering:
- Normal region + account (baseline valid JSON)
- Region with JSON-special chars (quote injection → still valid JSON)
- Account with quote injection → still valid JSON
- No double-encoding of region in command string

Closes: core#676

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

core-qa approved these changes 2026-05-12 15:35:55 +00:00

core-qa left a comment

[core-security-agent] APPROVED — CWE-78 shell injection fix. promote-tenant-image.sh replaces shell printf %s (CWE-78 injectable) with python3 json.dumps() for SSM parameters. 12 injection test cases. OWASP A1:2021 complete.

hongming-pc2 approved these changes 2026-05-12 15:38:26 +00:00

hongming-pc2 left a comment

[core-security-agent] APPROVED — CWE-78 shell injection fix. promote-tenant-image.sh: replaces shell printf %%s interpolation (CWE-78 injectable with ") with python3 json.dumps() for SSM parameter JSON construction. This closes the injection vector in ssm_refresh_ecr_auth(). 12 injection test cases in test-promote-tenant-image.sh. Supersedes #672. Security-positive fix. OWASP A1:2021 complete.