fix(#274): Add input validation to prevent command injection in git operations

Implemented strict whitelist-based validation for git branch names and repository URLs to prevent command injection vulnerabilities in worktree operations. Security fixes: - Created git-validation.util.ts with whitelist validation functions - Added custom DTO validators for branch names and repository URLs - Applied defense-in-depth validation in WorktreeManagerService - Comprehensive test coverage (31 tests) for all validation scenarios Validation rules: - Branch names: alphanumeric + hyphens + underscores + slashes + dots only - Repository URLs: https://, http://, ssh://, git:// protocols only - Blocks: option injection (--), command substitution ($(), ``), shell operators - Prevents: SSRF attacks (localhost, internal networks), credential injection Defense layers: 1. DTO validation (first line of defense at API boundary) 2. Service-level validation (defense-in-depth before git operations) Fixes #274 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 20:17:47 -06:00
parent 148121c9d4
commit 7a84d96d72
5 changed files with 555 additions and 0 deletions
--- a/apps/orchestrator/src/api/agents/dto/spawn-agent.dto.ts
+++ b/apps/orchestrator/src/api/agents/dto/spawn-agent.dto.ts
@@ -7,10 +7,65 @@ import {
  IsOptional,
  ArrayNotEmpty,
  IsIn,
+  Validate,
+  ValidatorConstraint,
+  ValidatorConstraintInterface,
+  ValidationArguments,
 } from "class-validator";
 import { Type } from "class-transformer";
 import { AgentType } from "../../../spawner/types/agent-spawner.types";
 import { GateProfileType } from "../../../coordinator/types/gate-config.types";
+import { validateBranchName, validateRepositoryUrl } from "../../../git/git-validation.util";
+
+/**
+ * Custom validator for git branch names
+ * Uses whitelist-based validation to prevent command injection
+ */
+@ValidatorConstraint({ name: "isValidBranchName", async: false })
+export class IsValidBranchName implements ValidatorConstraintInterface {
+  validate(branchName: string, _args: ValidationArguments): boolean {
+    try {
+      validateBranchName(branchName);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  defaultMessage(args: ValidationArguments): string {
+    try {
+      validateBranchName(args.value as string);
+      return "Branch name is invalid";
+    } catch (error) {
+      return error instanceof Error ? error.message : "Branch name is invalid";
+    }
+  }
+}
+
+/**
+ * Custom validator for git repository URLs
+ * Prevents SSRF and command injection via dangerous protocols
+ */
+@ValidatorConstraint({ name: "isValidRepositoryUrl", async: false })
+export class IsValidRepositoryUrl implements ValidatorConstraintInterface {
+  validate(repositoryUrl: string, _args: ValidationArguments): boolean {
+    try {
+      validateRepositoryUrl(repositoryUrl);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  defaultMessage(args: ValidationArguments): string {
+    try {
+      validateRepositoryUrl(args.value as string);
+      return "Repository URL is invalid";
+    } catch (error) {
+      return error instanceof Error ? error.message : "Repository URL is invalid";
+    }
+  }
+}

 /**
 * Context DTO for agent spawn request
@@ -18,10 +73,12 @@ import { GateProfileType } from "../../../coordinator/types/gate-config.types";
 export class AgentContextDto {
  @IsString()
  @IsNotEmpty()
+  @Validate(IsValidRepositoryUrl)
  repository!: string;

  @IsString()
  @IsNotEmpty()
+  @Validate(IsValidBranchName)
  branch!: string;

  @IsArray()
--- a/apps/orchestrator/src/git/git-validation.util.spec.ts
+++ b/apps/orchestrator/src/git/git-validation.util.spec.ts
@@ -0,0 +1,238 @@
+/**
+ * Git Validation Utility Tests
+ *
+ * Tests for command injection prevention in git operations
+ */
+
+import { describe, it, expect } from "vitest";
+import { BadRequestException } from "@nestjs/common";
+import {
+  validateBranchName,
+  validateRepositoryUrl,
+  validateSpawnContext,
+} from "./git-validation.util";
+
+describe("validateBranchName", () => {
+  describe("Valid branch names", () => {
+    it("should accept standard branch names", () => {
+      expect(() => validateBranchName("main")).not.toThrow();
+      expect(() => validateBranchName("develop")).not.toThrow();
+      expect(() => validateBranchName("master")).not.toThrow();
+    });
+
+    it("should accept feature branch names with slashes", () => {
+      expect(() => validateBranchName("feature/add-login")).not.toThrow();
+      expect(() => validateBranchName("fix/bug-123")).not.toThrow();
+      expect(() => validateBranchName("hotfix/security-patch")).not.toThrow();
+    });
+
+    it("should accept branch names with hyphens and underscores", () => {
+      expect(() => validateBranchName("feature-branch")).not.toThrow();
+      expect(() => validateBranchName("feature_branch")).not.toThrow();
+      expect(() => validateBranchName("feature-branch_v2")).not.toThrow();
+    });
+
+    it("should accept branch names with dots", () => {
+      expect(() => validateBranchName("release/1.0.0")).not.toThrow();
+      expect(() => validateBranchName("v2.5.1")).not.toThrow();
+    });
+
+    it("should accept branch names with numbers", () => {
+      expect(() => validateBranchName("feature-123")).not.toThrow();
+      expect(() => validateBranchName("123-bugfix")).not.toThrow();
+    });
+  });
+
+  describe("Invalid branch names (Command Injection)", () => {
+    it("should reject empty or whitespace-only names", () => {
+      expect(() => validateBranchName("")).toThrow(BadRequestException);
+      expect(() => validateBranchName("   ")).toThrow(BadRequestException);
+      expect(() => validateBranchName("\t")).toThrow(BadRequestException);
+    });
+
+    it("should reject names starting with hyphen (option injection)", () => {
+      expect(() => validateBranchName("--config")).toThrow(BadRequestException);
+      expect(() => validateBranchName("-malicious")).toThrow(BadRequestException);
+    });
+
+    it("should reject names with double dots (range specification)", () => {
+      expect(() => validateBranchName("feature..main")).toThrow(BadRequestException);
+      expect(() => validateBranchName("..malicious")).toThrow(BadRequestException);
+    });
+
+    it("should reject names with path traversal patterns", () => {
+      expect(() => validateBranchName("../etc/passwd")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature/../main")).toThrow(BadRequestException);
+      expect(() => validateBranchName("malicious/..")).toThrow(BadRequestException);
+    });
+
+    it("should reject names ending with .lock (reserved by git)", () => {
+      expect(() => validateBranchName("feature.lock")).toThrow(BadRequestException);
+      expect(() => validateBranchName("main.lock")).toThrow(BadRequestException);
+    });
+
+    it("should reject names with special shell characters", () => {
+      expect(() => validateBranchName("feature;rm -rf /")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature$malicious")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature`whoami`")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature$(whoami)")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature|malicious")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature&malicious")).toThrow(BadRequestException);
+    });
+
+    it("should reject names with control characters", () => {
+      expect(() => validateBranchName("feature\x00malicious")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature\x1Fmalicious")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature\x7Fmalicious")).toThrow(BadRequestException);
+    });
+
+    it("should reject names exceeding maximum length", () => {
+      const longName = "a".repeat(256);
+      expect(() => validateBranchName(longName)).toThrow(BadRequestException);
+    });
+
+    it("should reject names with spaces", () => {
+      expect(() => validateBranchName("feature branch")).toThrow(BadRequestException);
+      expect(() => validateBranchName("feature branch")).toThrow(BadRequestException);
+    });
+  });
+});
+
+describe("validateRepositoryUrl", () => {
+  describe("Valid repository URLs", () => {
+    it("should accept HTTPS URLs", () => {
+      expect(() => validateRepositoryUrl("https://github.com/user/repo.git")).not.toThrow();
+      expect(() => validateRepositoryUrl("https://gitlab.com/group/project.git")).not.toThrow();
+      expect(() => validateRepositoryUrl("https://bitbucket.org/user/repo.git")).not.toThrow();
+    });
+
+    it("should accept HTTP URLs (for development)", () => {
+      expect(() => validateRepositoryUrl("http://git.example.com/repo.git")).not.toThrow();
+    });
+
+    it("should accept SSH URLs with git@ format", () => {
+      expect(() => validateRepositoryUrl("git@github.com:user/repo.git")).not.toThrow();
+      expect(() => validateRepositoryUrl("ssh://git@gitlab.com/user/repo.git")).not.toThrow();
+    });
+
+    it("should accept git:// protocol", () => {
+      expect(() => validateRepositoryUrl("git://github.com/user/repo.git")).not.toThrow();
+    });
+  });
+
+  describe("Invalid repository URLs (Security Risks)", () => {
+    it("should reject empty or whitespace-only URLs", () => {
+      expect(() => validateRepositoryUrl("")).toThrow(BadRequestException);
+      expect(() => validateRepositoryUrl("   ")).toThrow(BadRequestException);
+    });
+
+    it("should reject dangerous protocols (file://)", () => {
+      expect(() => validateRepositoryUrl("file:///etc/passwd")).toThrow(BadRequestException);
+      expect(() => validateRepositoryUrl("file://C:/Windows/System32")).toThrow(
+        BadRequestException
+      );
+    });
+
+    it("should reject dangerous protocols (javascript:, data:)", () => {
+      expect(() => validateRepositoryUrl("javascript:alert('XSS')")).toThrow(BadRequestException);
+      expect(() => validateRepositoryUrl("data:text/html,<script>alert('XSS')</script>")).toThrow(
+        BadRequestException
+      );
+    });
+
+    it("should reject localhost URLs (SSRF protection)", () => {
+      expect(() => validateRepositoryUrl("https://localhost/repo.git")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("https://127.0.0.1/repo.git")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("https://0.0.0.0/repo.git")).toThrow(BadRequestException);
+      expect(() => validateRepositoryUrl("http://::1/repo.git")).toThrow(BadRequestException);
+    });
+
+    it("should reject internal network URLs (SSRF protection)", () => {
+      expect(() => validateRepositoryUrl("https://192.168.1.1/repo.git")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("https://10.0.0.1/repo.git")).toThrow(BadRequestException);
+      expect(() => validateRepositoryUrl("https://172.16.0.1/repo.git")).toThrow(
+        BadRequestException
+      );
+    });
+
+    it("should reject URLs with embedded credentials", () => {
+      expect(() => validateRepositoryUrl("https://user:pass@github.com/repo.git")).toThrow(
+        BadRequestException
+      );
+    });
+
+    it("should reject URLs with shell special characters", () => {
+      expect(() => validateRepositoryUrl("https://github.com/repo.git;whoami")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("https://github.com/repo.git|malicious")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("https://github.com/repo.git&malicious")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("https://github.com/repo.git$malicious")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("https://github.com/repo.git`whoami`")).toThrow(
+        BadRequestException
+      );
+    });
+
+    it("should reject URLs exceeding maximum length", () => {
+      const longUrl = "https://github.com/" + "a".repeat(2000) + ".git";
+      expect(() => validateRepositoryUrl(longUrl)).toThrow(BadRequestException);
+    });
+
+    it("should reject unknown/dangerous protocols", () => {
+      expect(() => validateRepositoryUrl("ftp://example.com/repo.git")).toThrow(
+        BadRequestException
+      );
+      expect(() => validateRepositoryUrl("telnet://example.com")).toThrow(BadRequestException);
+    });
+  });
+});
+
+describe("validateSpawnContext", () => {
+  it("should validate both repository and branch", () => {
+    expect(() =>
+      validateSpawnContext({
+        repository: "https://github.com/user/repo.git",
+        branch: "feature/add-login",
+      })
+    ).not.toThrow();
+  });
+
+  it("should reject invalid repository", () => {
+    expect(() =>
+      validateSpawnContext({
+        repository: "file:///etc/passwd",
+        branch: "main",
+      })
+    ).toThrow(BadRequestException);
+  });
+
+  it("should reject invalid branch", () => {
+    expect(() =>
+      validateSpawnContext({
+        repository: "https://github.com/user/repo.git",
+        branch: "--config malicious",
+      })
+    ).toThrow(BadRequestException);
+  });
+
+  it("should reject both invalid repository and branch", () => {
+    expect(() =>
+      validateSpawnContext({
+        repository: "javascript:alert('XSS')",
+        branch: "$(whoami)",
+      })
+    ).toThrow(BadRequestException);
+  });
+});
--- a/apps/orchestrator/src/git/git-validation.util.ts
+++ b/apps/orchestrator/src/git/git-validation.util.ts
@@ -0,0 +1,174 @@
+/**
+ * Git Input Validation Utility
+ *
+ * Provides strict validation for git references (branch names, repository URLs)
+ * to prevent command injection vulnerabilities.
+ *
+ * Security: Whitelist-based approach - only allow known-safe characters.
+ */
+
+import { BadRequestException } from "@nestjs/common";
+
+/**
+ * Validates a git branch name for safety
+ *
+ * Allowed format: alphanumeric, hyphens, underscores, forward slashes
+ * Examples: "main", "feature/add-login", "fix/bug_123"
+ *
+ * Rejected: Special characters that could be interpreted as git syntax
+ * Examples: "--option", "$(command)", ";malicious", "`command`"
+ *
+ * @param branchName - The branch name to validate
+ * @throws BadRequestException if branch name is invalid
+ */
+export function validateBranchName(branchName: string): void {
+  // Check for empty or whitespace-only
+  if (!branchName || branchName.trim().length === 0) {
+    throw new BadRequestException("Branch name cannot be empty");
+  }
+
+  // Check length (git has a 255 char limit for ref names)
+  if (branchName.length > 255) {
+    throw new BadRequestException("Branch name exceeds maximum length (255 characters)");
+  }
+
+  // Whitelist: only allow alphanumeric, hyphens, underscores, forward slashes, dots
+  // This prevents all forms of command injection
+  const safePattern = /^[a-zA-Z0-9/_.-]+$/;
+  if (!safePattern.test(branchName)) {
+    throw new BadRequestException(
+      `Branch name contains invalid characters. Only alphanumeric, hyphens, underscores, slashes, and dots are allowed.`
+    );
+  }
+
+  // Prevent git option injection (branch names starting with -)
+  if (branchName.startsWith("-")) {
+    throw new BadRequestException(
+      "Branch name cannot start with a hyphen (prevents option injection)"
+    );
+  }
+
+  // Prevent double dots (used for range specifications in git)
+  if (branchName.includes("..")) {
+    throw new BadRequestException("Branch name cannot contain consecutive dots (..)");
+  }
+
+  // Prevent path traversal patterns
+  if (branchName.includes("/../") || branchName.startsWith("../") || branchName.endsWith("/..")) {
+    throw new BadRequestException("Branch name cannot contain path traversal patterns");
+  }
+
+  // Prevent ending with .lock (reserved by git)
+  if (branchName.endsWith(".lock")) {
+    throw new BadRequestException("Branch name cannot end with .lock (reserved by git)");
+  }
+
+  // Prevent control characters
+  // eslint-disable-next-line no-control-regex
+  if (/[\x00-\x1F\x7F]/.test(branchName)) {
+    throw new BadRequestException("Branch name cannot contain control characters");
+  }
+}
+
+/**
+ * Validates a git repository URL for safety
+ *
+ * Allowed protocols: https, http (dev only), ssh (git@)
+ * Prevents: file://, javascript:, data:, and other dangerous protocols
+ *
+ * @param repositoryUrl - The repository URL to validate
+ * @throws BadRequestException if URL is invalid or uses dangerous protocol
+ */
+export function validateRepositoryUrl(repositoryUrl: string): void {
+  // Check for empty or whitespace-only
+  if (!repositoryUrl || repositoryUrl.trim().length === 0) {
+    throw new BadRequestException("Repository URL cannot be empty");
+  }
+
+  // Check length (reasonable limit for URLs)
+  if (repositoryUrl.length > 2000) {
+    throw new BadRequestException("Repository URL exceeds maximum length (2000 characters)");
+  }
+
+  // Remove whitespace
+  const url = repositoryUrl.trim();
+
+  // Whitelist allowed protocols
+  const httpsPattern = /^https:\/\//i;
+  const httpPattern = /^http:\/\//i; // Only for development
+  const sshGitPattern = /^git@[a-zA-Z0-9.-]+:/; // git@host:repo format
+  const sshUrlPattern = /^ssh:\/\/git@[a-zA-Z0-9.-]+(\/|:)/; // ssh://git@host/repo or ssh://git@host:repo
+
+  if (
+    !httpsPattern.test(url) &&
+    !httpPattern.test(url) &&
+    !sshGitPattern.test(url) &&
+    !sshUrlPattern.test(url) &&
+    !url.startsWith("git://")
+  ) {
+    throw new BadRequestException(
+      "Repository URL must use https://, http://, ssh://, git://, or git@ protocol"
+    );
+  }
+
+  // Prevent dangerous protocols
+  const dangerousProtocols = [
+    "file://",
+    "javascript:",
+    "data:",
+    "vbscript:",
+    "about:",
+    "chrome:",
+    "view-source:",
+  ];
+
+  for (const dangerous of dangerousProtocols) {
+    if (url.toLowerCase().startsWith(dangerous)) {
+      throw new BadRequestException(
+        `Repository URL cannot use ${dangerous} protocol (security risk)`
+      );
+    }
+  }
+
+  // Prevent localhost/internal network access (SSRF protection)
+  const localhostPatterns = [
+    /https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0|::1)/i,
+    /https?:\/\/192\.168\./i,
+    /https?:\/\/10\./i,
+    /https?:\/\/172\.(1[6-9]|2\d|3[01])\./i,
+  ];
+
+  for (const pattern of localhostPatterns) {
+    if (pattern.test(url)) {
+      throw new BadRequestException(
+        "Repository URL cannot point to localhost or internal networks (SSRF protection)"
+      );
+    }
+  }
+
+  // Prevent credential injection in URL
+  if (url.includes("@") && !sshGitPattern.test(url) && !sshUrlPattern.test(url)) {
+    // Extract the part before @ to check if it looks like credentials
+    const beforeAt = url.split("@")[0];
+    if (beforeAt.includes("://") && beforeAt.split("://")[1].includes(":")) {
+      throw new BadRequestException("Repository URL cannot contain embedded credentials");
+    }
+  }
+
+  // Prevent control characters and dangerous characters in URL
+  // eslint-disable-next-line no-control-regex
+  if (/[\x00-\x1F\x7F`$;|&]/.test(url)) {
+    throw new BadRequestException("Repository URL contains invalid or dangerous characters");
+  }
+}
+
+/**
+ * Validates a complete agent spawn context
+ *
+ * @param context - The spawn context with repository and branch
+ * @throws BadRequestException if any field is invalid
+ */
+export function validateSpawnContext(context: { repository: string; branch: string }): void {
+  validateRepositoryUrl(context.repository);
+  validateBranchName(context.branch);
+}
--- a/apps/orchestrator/src/git/worktree-manager.service.ts
+++ b/apps/orchestrator/src/git/worktree-manager.service.ts
@@ -3,6 +3,7 @@ import { simpleGit, SimpleGit } from "simple-git";
 import * as path from "path";
 import { GitOperationsService } from "./git-operations.service";
 import { WorktreeInfo, WorktreeError } from "./types";
+import { validateBranchName } from "./git-validation.util";

 /**
 * Result of worktree cleanup operation
@@ -70,6 +71,10 @@ export class WorktreeManagerService {
      throw new Error("taskId is required");
    }

+    // Validate baseBranch to prevent command injection
+    // This is defense-in-depth - DTO validation should catch this first
+    validateBranchName(baseBranch);
+
    const worktreePath = this.getWorktreePath(repoPath, agentId, taskId);
    const branchName = this.getBranchName(agentId, taskId);

@@ -79,6 +84,7 @@ export class WorktreeManagerService {
      const git = this.getGit(repoPath);

      // Create worktree with new branch
+      // baseBranch is validated above to prevent command injection
      await git.raw(["worktree", "add", worktreePath, "-b", branchName, baseBranch]);

      this.logger.log(`Successfully created worktree at ${worktreePath}`);
--- a/docs/scratchpads/274-command-injection.md
+++ b/docs/scratchpads/274-command-injection.md
@@ -0,0 +1,80 @@
+# Issue #274: Sanitize agent spawn command payloads (command injection risk)
+
+## Objective
+
+Add input validation and sanitization to agent spawn command payloads to prevent command injection vulnerabilities in git operations.
+
+## Security Impact
+
+**Severity:** P0 (Critical) - Blocks production deployment
+**Attack Vector:** Federated instances can inject malicious commands via branch names
+**Risk:** Command injection in git operations allowing arbitrary code execution
+
+## Vulnerability Details
+
+### Attack Flow
+
+1. Attacker sends federation command with malicious branch name
+2. Payload passes through command service without validation
+3. Branch name used directly in `git worktree add` command
+4. Malicious git syntax executed on orchestrator
+
+### Vulnerable Code
+
+**File:** `apps/orchestrator/src/git/worktree-manager.service.ts:82`
+
+```typescript
+await git.raw(["worktree", "add", worktreePath, "-b", branchName, baseBranch]);
+```
+
+**Input Source:** Federation command payload → no validation → git command
+
+### Attack Example
+
+```json
+{
+  "commandType": "agent.spawn",
+  "payload": {
+    "context": {
+      "branch": "feature/--config user.core.sshCommand=malicious"
+    }
+  }
+}
+```
+
+## Approach
+
+### 1. Add Input Validation DTOs
+
+- Strict regex for branch names (alphanumeric + hyphens + underscores + slashes)
+- Repository URL validation (https/ssh only)
+- Reject dangerous characters (`;`, `$`, `` ` ``, `--`, etc.)
+
+### 2. Create Sanitization Utility
+
+- Whitelist-based approach
+- Validate before any git operation
+- Clear error messages on rejection
+
+### 3. Apply at Multiple Layers
+
+- DTO validation (first line of defense)
+- Service-level sanitization (defense in depth)
+- Git operation wrapper (last resort)
+
+## Progress
+
+- [ ] Create validation utility
+- [ ] Update SpawnAgentDto with strict validation
+- [ ] Update SpawnAgentCommandPayload type
+- [ ] Add sanitization in WorktreeManagerService
+- [ ] Add tests for validation
+- [ ] Add tests for sanitization
+- [ ] Security vulnerability FIXED
+- [ ] Create PR
+- [ ] Merge to develop
+- [ ] Close issue #274
+
+## Implementation Status
+
+**IN PROGRESS** - Adding input validation and sanitization