Skip to content

fix: command injection in snapshot restore()#241

Open
JasonOA888 wants to merge 1 commit intobenchflow-ai:mainfrom
JasonOA888:fix/snapshot-restore-command-injection
Open

fix: command injection in snapshot restore()#241
JasonOA888 wants to merge 1 commit intobenchflow-ai:mainfrom
JasonOA888:fix/snapshot-restore-command-injection

Conversation

@JasonOA888
Copy link
Copy Markdown

@JasonOA888 JasonOA888 commented May 7, 2026
edited by devin-ai-integration Bot
Loading

Bug

restore() in _snapshot.py parses user-controlled ref strings and interpolates the path segment directly into shell commands without quoting or validation:

parts = ref.split(":", 2)
snap_path = parts[2]  # attacker-controlled
await env.exec(f"test -f {snap_path} && echo ok || echo missing")
await env.exec(f"tar xzf {snap_path} -C {workspace}")

A crafted ref like fs:x:/tmp/ok; rm -rf / injects arbitrary shell commands.

Since restore() and snapshot() are exported as public API from __init__.py, any caller passing an untrusted ref is vulnerable.

Fix

  • Validate snap_path must be under _SNAP_DIR and end with .tar.gz
  • Reject .. path traversal components
  • Quote all shell arguments with shlex.quote()
  • Harden snapshot() with shlex.quote for consistency

Test

# Crafted ref is blocked by .tar.gz suffix check
ref = "fs:x:/tmp/.benchflow_snapshots/x; rm -rf /"
# -> ValueError: path must be under _SNAP_DIR

# Path traversal is blocked
ref = "fs:x:/tmp/.benchflow_snapshots/../../etc/passwd.tar.gz"  
# -> ValueError: path traversal not allowed
Open in Devin Review

@JasonOA888
fix: sanitize snapshot restore() ref to prevent command injection
c5df5a8 
restore() parsed user-controlled ref strings and interpolated the path
segment directly into shell commands (test -f, tar xzf) without quoting
or validation. A crafted ref like 'fs:x:/tmp/ok; rm -rf /' would inject
arbitrary commands.

Fix:
- Validate snap_path must be under _SNAP_DIR and end with .tar.gz
- Reject path traversal (..) components
- Quote all shell arguments with shlex.quote()
- Also harden snapshot() with shlex.quote for consistency
devin-ai-integration[bot]
devin-ai-integration Bot reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JasonOA888