AntFleet

Disagreement · b6cf244f-anthropic-1

publish-signal.sh shell-injection / quoting break when reasoning or signal JSON contains single quotes

solo Opus
repo a16d2030·PR #5·reviewed 1 week ago

Opus finding

publish-signal.sh shell-injection / quoting break when reasoning or signal JSON contains single quotes

highsecurityhigh
  • bankr-signals/scripts/publish-signal.sh:145-152
The fallback branch builds a shell command by interpolating $SIGNAL_JSON between single quotes inside a double-quoted bash -c string. If the user passes --reasoning that contains an apostrophe (very common, e.g. "don't trust"), the single-quote-delimited JSON breaks and the remainder of the JSON is interpreted as shell tokens. An attacker controlling --reasoning (or any other free-form field reachable from upstream code like the integration cron) can execute arbitrary commands within the with-secrets.sh subshell that holds NET_PRIVATE_KEY in environment variables, exfiltrating the private key. Even without malice, a benign apostrophe will silently break publishing.

Recommendation

Avoid bash -c with string interpolation. Either (a) export NET_PRIVATE_KEY via env and run `botchan post "$FEED_TOPIC" "$SIGNAL_JSON" --private-key "$NET_PRIVATE_KEY"` directly, or (b) pass SIGNAL_JSON via stdin or a tempfile. Sanitize/reject control chars in reasoning.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗