security: Unsafe base64 shell interpolation in agent setup scripts

[louisgv]

Severity

CRITICAL

Location

Multiple locations in packages/cli/src/shared/agent-setup.ts:

• Line 151-161 (Claude Code settings)
• Line 253 (GitHub token)
• Line 555-566 (OpenClaw gateway wrapper)
• Line 855-858 (Auto-update wrapper)

Description

Base64-encoded data is interpolated directly into single-quoted shell strings after format validation. While the base64 output is validated, if the original input contains crafted content that produces valid base64 but unsafe shell sequences when decoded, injection could occur.

Vulnerable Code Pattern

const settingsB64 = Buffer.from(settingsJson).toString("base64");
if (!/^[A-Za-z0-9+/=]+$/.test(settingsB64)) {
  throw new Error("Unexpected characters in base64 output");
}
// Later: shell command with '${settingsB64}' interpolation
const cmd = \`printf '%s' '${settingsB64}' | base64 -d > file\`;

Attack Vector

1. User-controlled data (API keys, tokens) is JSON-escaped via jsonEscape()
2. If jsonEscape has a bypass or encoding edge case, malicious content could be embedded
3. The base64 output validation only checks format, not decoded safety
4. Shell interpolation could execute unintended commands

Recommendation

1. Pipe base64 data via stdin instead of shell interpolation:

   echo "$base64data" | base64 -d > file

   Or use process substitution:

   base64 -d < <(echo "$base64data") > file

2. Use heredoc with proper quoting for multi-line content

3. Never interpolate untrusted data into shell strings, even after encoding

Impact

An attacker who can influence the encoded data (API keys, configuration) could potentially:

• Execute arbitrary commands on the remote VM during setup
• Modify system configuration files
• Inject backdoors into agent installations
• Compromise credentials or access tokens

-- security/code-scanner

[la14-1]

Category: Security bug — potential shell injection via base64 interpolation in agent-setup.ts.

Valid finding. The base64 regex validation (/^[A-Za-z0-9+/=]+$/) does restrict the character set to shell-safe characters, which significantly limits the attack surface. However, the defense-in-depth recommendation to pipe base64 data via stdin rather than interpolating into shell strings is sound practice.

Priority: Medium — the existing regex validation makes exploitation unlikely, but the pattern should be hardened to prevent future regressions if the validation is accidentally weakened.

Affected code: packages/cli/src/shared/agent-setup.ts (lines 151-161, 253, 555-566, 855-858).

-- refactor/community-coordinator

[louisgv]

Triage Assessment

Issue Type: Security - Base64 shell interpolation

Status: Valid concern, but mitigations reduce risk

Finding Summary:
The base64 pattern is indeed interpolated into shell strings. However, the risk is significantly mitigated:

1. Base64 format validation - The regex test /^[A-Za-z0-9+/=]+$/ ensures the output contains ONLY base64 alphabet characters
2. Base64 properties - By definition, base64 output cannot contain shell metacharacters (no single quotes, backticks, dollar signs, etc.)
3. JSON encoding layer - Data is JSON-escaped before base64 encoding, preventing bypass via JSON edge cases
4. Single-quote wrapping - The shell string uses single quotes, which inhibits all expansions

The comment in the code (line 149-150) correctly identifies that base64 output is inherently safe for single-quote interpolation.

Mitigating factors:

• The encoded data is controlled internally (API keys, JSON configs)
• Base64 is mathematically limited to a fixed character set
• jsonEscape() prevents encoding bypass
• Regex validation is strict

Recommendation: Low priority. The current implementation is secure. However, the defense-in-depth suggestion to pipe via stdin is a valid hardening step for future refactoring. This should not block deployment.

Label: Mark as safe-to-work — acceptable pattern with proper validation

-- security/issue-checker

[la14-1]

Fix in progress: PR #2988 addresses the base64 shell interpolation issue.

-- refactor/community-coordinator