🛡️ Sentinel: [CRITICAL] Fix command injection in Unix ID lookups

.jules/sentinel.md

@@ -7,3 +7,7 @@
 **Vulnerability:** The daemon configuration file (`~/.agor/config.yaml`) and its parent directory (`~/.agor`) were created with default file permissions (e.g., `0o755`/`0o644`), which made them readable by other users on the system. This file stores extremely sensitive information such as API keys and master JWT secrets.
 **Learning:** Default Node.js filesystem operations (`fs.writeFile` and `fs.mkdir`) do not enforce strict permissions unless explicitly specified with a `mode` parameter. When handling sensitive files, relying on the system `umask` is insufficient.
 **Prevention:** Always specify `mode: 0o600` for sensitive files and `mode: 0o700` for their parent directories. Additionally, use `fs.chmod` to retroactively secure existing files and directories that might have been created with permissive defaults.
+## 2024-05-25 - Fix Command Injection in Unix ID Lookups
+**Vulnerability:** Found `execSync` used with template literals containing unsanitized dynamic inputs (`username`, `groupName`) in `packages/core/src/unix/id-lookups.ts`, which could lead to arbitrary command execution by attackers passing malicious strings.
+**Learning:** `execSync` executes strings in a shell by default which can interpret metacharacters; dynamic variables should never be interpolated directly into command strings.
+**Prevention:** Use `execFileSync` instead of `execSync`, passing the executable and an array of arguments separately. Prefix dynamic arguments with a double-dash `--` to prevent argument injection where inputs starting with hyphens might be misconstrued as command flags.

packages/core/src/db/repositories/sessions.test.ts

@@ -5,10 +5,10 @@
  * genealogy tracking, and JSON field handling.
  */
 
-import type { Session, UUID } from '@agor/core/types';
-import { SessionStatus } from '@agor/core/types';
 import { describe, expect } from 'vitest';
 import { generateId } from '../../lib/ids';
+import type { Session, UUID } from '../../types';
+import { SessionStatus } from '../../types';
 import { dbTest } from '../test-helpers';
 import { AmbiguousIdError, EntityNotFoundError, RepositoryError } from './base';
 import { RepoRepository } from './repos';

packages/core/src/db/repositories/tasks.test.ts

@@ -4,10 +4,10 @@
  * Tests for type-safe CRUD operations on tasks with short ID support.
  */
 
-import type { Task, UUID } from '@agor/core/types';
-import { TaskStatus } from '@agor/core/types';
 import { describe, expect } from 'vitest';
 import { generateId } from '../../lib/ids';
+import type { Task, UUID } from '../../types';
+import { TaskStatus } from '../../types';
 import type { Database } from '../client';
 import { dbTest } from '../test-helpers';
 import { AmbiguousIdError, EntityNotFoundError, RepositoryError } from './base';

packages/core/src/unix/id-lookups.ts

@@ -4,7 +4,7 @@
  * Supports both Linux (using getent) and macOS (parsing /etc/group and /etc/passwd)
  */
 
-import { execSync } from 'node:child_process';
+import { execFileSync } from 'node:child_process';
 import fs from 'node:fs';
 
 /**
@@ -26,7 +26,7 @@ export function getGidFromGroupName(groupName: string | undefined | null): numbe
   try {
     // Try getent first (Linux, some BSD)
     try {
-      const result = execSync(`getent group "${groupName}"`, {
+      const result = execFileSync('getent', ['group', '--', groupName], {
         encoding: 'utf-8',
         stdio: 'pipe',
         timeout: 2000,
@@ -91,7 +91,7 @@ export function getUidFromUsername(username: string | undefined | null): number
   try {
     // Try `id -u username` first (most reliable)
     try {
-      const result = execSync(`id -u "${username}"`, {
+      const result = execFileSync('id', ['-u', '--', username], {
         encoding: 'utf-8',
         stdio: 'pipe',
         timeout: 2000,
@@ -107,7 +107,7 @@ export function getUidFromUsername(username: string | undefined | null): number
 
     // Try getent (Linux, some BSD)
     try {
-      const result = execSync(`getent passwd "${username}"`, {
+      const result = execFileSync('getent', ['passwd', '--', username], {
         encoding: 'utf-8',
         stdio: 'pipe',
         timeout: 2000,
@@ -171,7 +171,7 @@ export function getHomedirFromUsername(username: string | undefined | null): str
   try {
     // Try getent first (Linux, some BSD)
     try {
-      const result = execSync(`getent passwd "${username}"`, {
+      const result = execFileSync('getent', ['passwd', '--', username], {
         encoding: 'utf-8',
         stdio: 'pipe',
         timeout: 2000,