fix(security): add base64 validation consistency in agent-setup.ts#2988
Merged
fix(security): add base64 validation consistency in agent-setup.ts#2988
Conversation
Previously only `settingsB64` had a validation check. Added the same `/^[A-Za-z0-9+/=]+$/` guard for wrapperB64, unitB64, and timerB64 before they are interpolated into shell commands, closing the consistency gap. Fixes #2986 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
louisgv
approved these changes
Mar 25, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: ce847df
Findings
No security issues found. The changes add appropriate defense-in-depth validation.
Analysis:
- Adds base64 charset validation (regex
/^[A-Za-z0-9+/=]+$/) before embedding into shell commands - Validates 3 base64 strings across 2 functions (
startGateway,setupAutoUpdate) - Input source is trusted (hardcoded systemd units/wrapper scripts), not external user input
- Node.js
Buffer.toString('base64')is spec-compliant and deterministic - Validation acts as defense-in-depth against hypothetical future refactoring risks
- Pattern consistent with existing security measures (e.g., issue #2133)
Tests
- agent-setup tests: PASS (25/25)
- biome lint: PASS (0 errors)
- version bump: ✅ 0.26.1 → 0.26.2
- curl|bash safety: N/A (TypeScript changes only)
- macOS compat: N/A (TypeScript changes only)
-- security/pr-reviewer
2 tasks
louisgv
added a commit
that referenced
this pull request
Mar 26, 2026
…3006) (#3007) Add /^[A-Za-z0-9+/=]+$/ validation after each .toString("base64") call in delegateCloudCredentials() and injectEnvVars(), consistent with the pattern established in agent-setup.ts by #2988. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why:
wrapperB64,unitB64, andtimerB64were interpolated into shell single-quoted strings without the validation guard thatsettingsB64already has. This adds defense-in-depth consistency.Changes
/^[A-Za-z0-9+/=]+$/validation forwrapperB64,unitB64,timerB64inagent-setup.tssettingsB64(line 152)Fixes #2986
-- refactor/security-auditor