Skip to content

Fix #166: Quote sandbox names in shell commands and add validation#211

Closed
hkc5 wants to merge 2 commits intoNVIDIA:mainfrom
hkc5:main
Closed

Fix #166: Quote sandbox names in shell commands and add validation#211
hkc5 wants to merge 2 commits intoNVIDIA:mainfrom
hkc5:main

Conversation

@hkc5
Copy link
Copy Markdown

@hkc5 hkc5 commented Mar 17, 2026

Summary

Fixes #166 - Sandbox names were being interpolated into shell commands without proper quoting, causing failures when names contain spaces or special characters.

Changes

  • Added function: Properly escapes strings for safe use in shell commands using single quotes and handling embedded single quotes.

  • Added function: Enforces that sandbox names contain only alphanumeric characters and hyphens (plus 64-character max length), rejecting names that could cause issues.

  • Applied shell escaping to all shell commands that use :

  • Added validation check: Exits with a clear error message if the user provides an invalid sandbox name.

Security

This fix prevents potential shell injection vulnerabilities where malicious sandbox names could execute arbitrary commands.

Testing

Tested validation and escaping logic with various inputs including:

  • Valid names: my-assistant, assistant123, test-123-abc
  • Invalid names with spaces, semicolons, pipes, quotes, etc.
  • Injection attempts like name'; rm -rf /; echo '

All tests pass.

hkc5 added 2 commits March 17, 2026 14:49
@hkc5
fix: quote sandbox names in shell commands and add validation
d0ec16b 
Fixes NVIDIA#166

- Add shellEscape() function to properly escape sandbox names in shell commands
- Add validateSandboxName() function to enforce alphanumeric + hyphens only
- Apply shell escaping to all shell commands that use sandboxName:
  - openshell sandbox delete
  - openshell sandbox create --name
  - openshell forward start
- Exit with error if sandbox name fails validation

This prevents shell injection and failures when sandbox names contain
spaces or special characters.
@hkc5
fix: normalize sandbox names to lowercase to prevent creation failures
917d9b0
@brianwtaylor brianwtaylor mentioned this pull request Mar 17, 2026
Closed
@hkc5
Copy link
Copy Markdown
Author

hkc5 commented Mar 18, 2026

Closing this PR because it was accidentally created with main as the head branch (i.e., opened from main against main). It also contains a second commit that belongs to PR #212 (the lowercase normalization fix).

The quoting/validation changes from the first commit will be resubmitted on a proper branch (fix-sandbox-name-quoting) as a new PR targeting main.

@hkc5 hkc5 closed this Mar 18, 2026
@hkc5 hkc5 mentioned this pull request Mar 18, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sandbox name not quoted in shell commands in onboard.js

1 participant

@hkc5