fix: validate and quote sandbox name in shell commands#170
Merged
jacobtomlinson merged 3 commits intomainfrom Mar 17, 2026
Merged
fix: validate and quote sandbox name in shell commands#170jacobtomlinson merged 3 commits intomainfrom
jacobtomlinson merged 3 commits intomainfrom
Conversation
Sandbox name from user prompt was interpolated unquoted into openshell commands, causing failures when the name contained spaces or unexpected input. Added name validation (alphanumeric, hyphens, underscores only) and quoted all sandbox name interpolations in shell commands. Closes #166 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The initial commit missed 5 unquoted ${sandboxName} interpolations in
bin/nemoclaw.js (sandboxConnect, sandboxStatus, sandboxLogs,
sandboxDestroy). These have the same shell injection / argument parsing
vulnerability as the onboard.js ones fixed in the previous commit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sandbox creation failed with capital letters because Kubernetes requires RFC 1123 subdomains (lowercase alphanumeric + hyphens, must start/end with alphanumeric). Now the name is auto-lowercased and the prompt shows the naming rules. Closes #202
jacobtomlinson
approved these changes
Mar 17, 2026
6 tasks
brianwtaylor
added a commit
to brianwtaylor/NemoClaw
that referenced
this pull request
Mar 21, 2026
Extends the RFC 1123 validation and double-quoting pattern from NVIDIA#170 (sandbox names) to the deploy() function. All 7 unquoted ${name} interpolations in ssh/scp/rsync commands are now quoted, and instance names are validated at entry to prevent command injection.
brianwtaylor
added a commit
to brianwtaylor/NemoClaw
that referenced
this pull request
Mar 21, 2026
Extends the RFC 1123 validation and double-quoting pattern from NVIDIA#170 (sandbox names) to the deploy() function. All 7 unquoted ${name} interpolations in ssh/scp/rsync commands are now quoted, and instance names are validated at entry to prevent command injection.
brianwtaylor
added a commit
to brianwtaylor/NemoClaw
that referenced
this pull request
Mar 21, 2026
Extends the RFC 1123 validation and double-quoting pattern from NVIDIA#170 (sandbox names) to the deploy() function. All 7 unquoted ${name} interpolations in ssh/scp/rsync commands are now quoted, and instance names are validated at entry to prevent command injection.
brianwtaylor
added a commit
to brianwtaylor/NemoClaw
that referenced
this pull request
Mar 21, 2026
Extends the RFC 1123 validation and double-quoting pattern from NVIDIA#170 (sandbox names) to the deploy() function. All 7 unquoted ${name} interpolations in ssh/scp/rsync commands are now quoted, and instance names are validated at entry to prevent command injection.
Ryuketsukami
pushed a commit
to Ryuketsukami/NemoClaw
that referenced
this pull request
Mar 24, 2026
* fix: validate and quote sandbox name in shell commands Sandbox name from user prompt was interpolated unquoted into openshell commands, causing failures when the name contained spaces or unexpected input. Added name validation (alphanumeric, hyphens, underscores only) and quoted all sandbox name interpolations in shell commands. Closes NVIDIA#166 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: also quote sandbox name in bin/nemoclaw.js shell commands The initial commit missed 5 unquoted ${sandboxName} interpolations in bin/nemoclaw.js (sandboxConnect, sandboxStatus, sandboxLogs, sandboxDestroy). These have the same shell injection / argument parsing vulnerability as the onboard.js ones fixed in the previous commit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: auto-lowercase sandbox names and enforce RFC 1123 rules Sandbox creation failed with capital letters because Kubernetes requires RFC 1123 subdomains (lowercase alphanumeric + hyphens, must start/end with alphanumeric). Now the name is auto-lowercased and the prompt shows the naming rules. Closes NVIDIA#202 --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jessesanford
pushed a commit
to jessesanford/NemoClaw
that referenced
this pull request
Mar 24, 2026
* fix: validate and quote sandbox name in shell commands Sandbox name from user prompt was interpolated unquoted into openshell commands, causing failures when the name contained spaces or unexpected input. Added name validation (alphanumeric, hyphens, underscores only) and quoted all sandbox name interpolations in shell commands. Closes NVIDIA#166 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: also quote sandbox name in bin/nemoclaw.js shell commands The initial commit missed 5 unquoted ${sandboxName} interpolations in bin/nemoclaw.js (sandboxConnect, sandboxStatus, sandboxLogs, sandboxDestroy). These have the same shell injection / argument parsing vulnerability as the onboard.js ones fixed in the previous commit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: auto-lowercase sandbox names and enforce RFC 1123 rules Sandbox creation failed with capital letters because Kubernetes requires RFC 1123 subdomains (lowercase alphanumeric + hyphens, must start/end with alphanumeric). Now the name is auto-lowercased and the prompt shows the naming rules. Closes NVIDIA#202 --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mafueee
pushed a commit
to mafueee/NemoClaw
that referenced
this pull request
Mar 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #166, closes #202
Two sandbox name issues:
${sandboxName}in shell commands acrossonboard.js,policies.js, andnemoclaw.jscaused argument parsing failuresChanges:
.trim()the sandbox name from user input/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/)${sandboxName}in all shell commands across 3 files (onboard.js, policies.js, nemoclaw.js)Test results
Validation logic (23 assertions, 0 failures)
My-Assistantmy-assistant, validALLCAPSallcaps, validTestBoxtestbox, validmy-assistantsandbox1aa-b-cmy-assistant""(empty)" "(whitespace)-startend-has_underscorehas spacesemi;colon$(whoami)null/undefinedReal openshell E2E
Input
TestCapsat the sandbox name prompt → auto-lowered totestcaps→ sandbox created successfully on real openshell. On main without this fix, the same input produces a Kubernetes RFC 1123 error.Shell command quoting sweep (0 unquoted)
grep -rn 'run(' bin/ --include='*.js' | grep sandboxName | grep -v '"${sandboxName}"'returns zero matches acrossonboard.js,policies.js, andnemoclaw.js.E2E inference
Sandbox created on this branch, provider configured, agent prompt sent to Nemotron 3 Super 120B through real OpenShell gateway → response received.