security: fix CodeQL command injection and URL sanitization issues

fabiovincenzi · fabiovincenzi · commit 7662e6a397a6 · 2025-12-17T11:02:13.000+01:00
- Add '--' separator in git clone to prevent flag injection via repo names
- Validate SSH host key paths to prevent command injection in ssh-keygen
- Use strict equality for GitHub/GitLab hostname checks to prevent subdomain spoofing
- Add .gitignore entry for test/.ssh/ directory

Fixes CodeQL security alerts:
- Second order command injection (2 instances)
- Incomplete URL substring sanitization (2 instances)
- Uncontrolled command line (1 instance)
diff --git a/.gitignore b/.gitignore
@@ -272,10 +272,12 @@ website/.docusaurus
 
 # Test SSH keys (generated during tests)
 test/keys/
+test/.ssh/
 
 # VS COde IDE
 .vscode/settings.json
 
 # Generated from testing
 /test/fixtures/test-package/package-lock.json
 .ssh/
+
diff --git a/src/proxy/processors/push-action/PullRemoteSSH.ts b/src/proxy/processors/push-action/PullRemoteSSH.ts
@@ -59,7 +59,7 @@ export class PullRemoteSSH extends PullRemoteBase {
       await new Promise<void>((resolve, reject) => {
         const gitProc = spawn(
           'git',
-          ['clone', '--depth', '1', '--single-branch', sshUrl, action.repoName],
+          ['clone', '--depth', '1', '--single-branch', '--', sshUrl, action.repoName],
           {
             cwd: action.proxyGitPath,
             env: {
diff --git a/src/proxy/ssh/GitProtocol.ts b/src/proxy/ssh/GitProtocol.ts
@@ -194,9 +194,9 @@ async function executeRemoteGitCommand(
           errorMessage += `  1. Verify your SSH key is loaded in ssh-agent:\n`;
           errorMessage += `     $ ssh-add -l\n\n`;
           errorMessage += `  2. Add your SSH public key to ${remoteHost}:\n`;
-          if (remoteHost.includes('github.com')) {
+          if (remoteHost === 'github.com') {
             errorMessage += `     https://github.com/settings/keys\n\n`;
-          } else if (remoteHost.includes('gitlab.com')) {
+          } else if (remoteHost === 'gitlab.com') {
             errorMessage += `     https://gitlab.com/-/profile/keys\n\n`;
           } else {
             errorMessage += `     Check your Git hosting provider's SSH key settings\n\n`;
diff --git a/src/proxy/ssh/hostKeyManager.ts b/src/proxy/ssh/hostKeyManager.ts
@@ -35,6 +35,15 @@ export interface HostKeyConfig {
 export function ensureHostKey(config: HostKeyConfig): Buffer {
   const { privateKeyPath, publicKeyPath } = config;
 
+  // Validate paths to prevent command injection
+  // Only allow alphanumeric, dots, slashes, underscores, hyphens
+  const safePathRegex = /^[a-zA-Z0-9._\-\/]+$/;
+  if (!safePathRegex.test(privateKeyPath) || !safePathRegex.test(publicKeyPath)) {
+    throw new Error(
+      `Invalid SSH host key path: paths must contain only alphanumeric characters, dots, slashes, underscores, and hyphens`,
+    );
+  }
+
   // Check if the private key already exists
   if (fs.existsSync(privateKeyPath)) {
     console.log(`[SSH] Using existing proxy host key: ${privateKeyPath}`);

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ export class PullRemoteSSH extends PullRemoteBase {`
`59`	`59`	`await new Promise<void>((resolve, reject) => {`
`60`	`60`	`const gitProc = spawn(`
`61`	`61`	`'git',`
`62`		`- ['clone', '--depth', '1', '--single-branch', sshUrl, action.repoName],`
	`62`	`+ ['clone', '--depth', '1', '--single-branch', '--', sshUrl, action.repoName],`
`63`	`63`	`{`
`64`	`64`	`cwd: action.proxyGitPath,`
`65`	`65`	`env: {`