fix: validate sandbox names to prevent shell injection#52
Closed
futhgar wants to merge 2 commits intoNVIDIA:mainfrom
Closed
fix: validate sandbox names to prevent shell injection#52futhgar wants to merge 2 commits intoNVIDIA:mainfrom
futhgar wants to merge 2 commits intoNVIDIA:mainfrom
Conversation
The pypi and npm presets used protocol: rest with tls: terminate, which intercepts TLS connections and restricts traffic to explicit HTTP method rules. This breaks pip and npm because both tools establish HTTPS connections via CONNECT tunneling, which the TLS-terminating proxy rejects with 403 errors. Switch both presets to access: full, matching the pattern already used by the github and npm_registry policies in the base sandbox configuration (openclaw-sandbox.yaml). This allows package managers to establish direct TLS connections to their registries. Fixes NVIDIA#19 Signed-off-by: futhgar <jmaldonado.rosa@gmail.com>
Sandbox and instance names from user input are interpolated directly
into shell commands (openshell sandbox connect, docker run --name, etc.)
without validation. A name containing shell metacharacters could execute
arbitrary commands on the host.
Add validateName() to runner.js enforcing ^[a-zA-Z0-9][a-zA-Z0-9._-]{0,62}$
and call it at the three user-input entry points:
- CLI sandbox dispatch (nemoclaw <name> <action>)
- deploy command (nemoclaw deploy <instance-name>)
- onboard wizard (sandbox name prompt)
Includes 7 unit tests covering valid names, length limits, empty input,
shell metacharacter rejection, and custom error labels.
Fixes NVIDIA#45
Signed-off-by: futhgar <jmaldonado.rosa@gmail.com>
Author
|
Closing — this overlaps with #170 which was merged and addresses the same sandbox name validation issue. Thanks! |
mafueee
pushed a commit
to mafueee/NemoClaw
that referenced
this pull request
Mar 28, 2026
Closes NVIDIA#48, NVIDIA#52 ## Summary - Replace the envoy-gateway-based TLS setup with inline PKI generation during cluster bootstrap, generating CA, server, and client certificates directly in the `navigator-bootstrap` crate - Remove all envoy gateway Helm templates (`gateway.yaml`, `gatewayclass.yaml`, `grpcroute.yaml`, PKI job, traffic policies) and the `Dockerfile.pki-job` - Add native mTLS support to the navigator server with `tokio-rustls`, mounting client TLS certs as volumes into sandbox pods - Update cluster entrypoint, healthcheck, and deploy scripts to work with the new direct-TLS architecture - Add TLS security e2e test and fix formatting/clippy warnings ## Test Plan - All unit tests pass (`cargo test --workspace`) - Clippy clean (`cargo clippy --workspace --all-targets`) - Format clean (`cargo fmt --all -- --check`) - Python tests pass (`uv run pytest python/`) - Full `mise run pre-commit` passes
mafueee
pushed a commit
to mafueee/NemoClaw
that referenced
this pull request
Mar 28, 2026
…S path resolution (NVIDIA#52)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sandbox and instance names from user input are interpolated directly into shell commands (
openshell sandbox connect ${name},docker run --name ${name}, etc.) without validation. A name containing shell metacharacters (;,$(), backticks, pipes) could execute arbitrary commands on the host.Fix
Add
validateName()torunner.jsenforcing^[a-zA-Z0-9][a-zA-Z0-9._-]{0,62}$and call it at the three user-input entry points:nemoclaw <name> <action>(nemoclaw.js)nemoclaw deploy <instance-name>(nemoclaw.js)Changes
bin/lib/runner.jsvalidateName()with regex enforcement and export itbin/nemoclaw.jsvalidateName, call it indeploy()and sandbox dispatchbin/lib/onboard.jsvalidateName, call it after sandbox name prompttest/runner.test.jsTest plan
npm test— 45/45 pass (38 existing + 7 new)nemoclaw my-assistant connect— valid name, passes validationnemoclaw "test; echo pwned" connect— rejected with clear errornemoclaw deploy '$(whoami)'— rejectednemoclaw onboardwith empty name → defaults tomy-assistant(valid)nemoclaw boguscmd— still shows "Unknown command" (not "Invalid name")Fixes #45