fix(security): harden credential preflight PATH

Author: Dicklesworthstone

scripts/lib/credential_preflight.sh

@@ -9,6 +9,10 @@
 
 set -euo pipefail
 
+CRED_PREFLIGHT_SYSTEM_PATH="/usr/bin:/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/sbin"
+PATH="$CRED_PREFLIGHT_SYSTEM_PATH"
+export PATH
+
 CRED_PREFLIGHT_JSON=false
 CRED_PREFLIGHT_ROOT=""
 CRED_PREFLIGHT_HOME="${HOME:-}"
@@ -23,6 +27,7 @@ CRED_PREFLIGHT_EXCLUDES=()
 CRED_PREFLIGHT_FINDINGS=()
 CRED_PREFLIGHT_SKIPPED=()
 CRED_PREFLIGHT_FILES_SCANNED=0
+CRED_PREFLIGHT_JQ_BIN=""
 
 credential_preflight_usage() {
     cat <<'EOF'
@@ -102,25 +107,49 @@ credential_preflight_parse_args() {
 
 credential_preflight_binary_path() {
     local name="${1:-}"
-    local path_value=""
+    local candidate=""
 
     [[ -n "$name" ]] || return 1
     case "$name" in
-        .|..|*/*) return 1 ;;
+        .|..|*/*|*[!A-Za-z0-9._+-]*) return 1 ;;
     esac
 
-    path_value="$(command -v "$name" 2>/dev/null || true)"
-    [[ -n "$path_value" && -x "$path_value" ]] || return 1
-    printf '%s\n' "$path_value"
+    for candidate in \
+        "/usr/bin/$name" \
+        "/bin/$name" \
+        "/usr/local/bin/$name" \
+        "/usr/local/sbin/$name" \
+        "/usr/sbin/$name" \
+        "/sbin/$name"
+    do
+        [[ -x "$candidate" ]] || continue
+        printf '%s\n' "$candidate"
+        return 0
+    done
+
+    return 1
 }
 
 credential_preflight_require_jq() {
-    if ! credential_preflight_binary_path jq >/dev/null 2>&1; then
+    CRED_PREFLIGHT_JQ_BIN="$(credential_preflight_binary_path jq 2>/dev/null || true)"
+    if [[ -z "$CRED_PREFLIGHT_JQ_BIN" ]]; then
         echo "Error: jq is required for acfs credential-preflight" >&2
         return 2
     fi
 }
 
+credential_preflight_jq() {
+    local jq_bin="$CRED_PREFLIGHT_JQ_BIN"
+
+    if [[ -z "$jq_bin" || ! -x "$jq_bin" ]]; then
+        jq_bin="$(credential_preflight_binary_path jq 2>/dev/null || true)"
+        [[ -n "$jq_bin" ]] || return 2
+        CRED_PREFLIGHT_JQ_BIN="$jq_bin"
+    fi
+
+    "$jq_bin" "$@"
+}
+
 credential_preflight_abs_path() {
     local path="$1"
     local dir=""
@@ -253,7 +282,7 @@ credential_preflight_json_array_from_objects() {
     if [[ $# -eq 0 ]]; then
         printf '[]\n'
     else
-        printf '%s\n' "$@" | jq -s .
+        printf '%s\n' "$@" | credential_preflight_jq -s .
     fi
 }
 
@@ -264,7 +293,7 @@ credential_preflight_add_skipped() {
     local reason="$4"
     local object=""
 
-    object="$(jq -n \
+    object="$(credential_preflight_jq -n \
         --arg file "$(credential_preflight_display_path "$root" "$path")" \
         --arg source "$source" \
         --arg reason "$reason" \
@@ -293,7 +322,7 @@ credential_preflight_add_finding() {
     local evidence="$6"
     local object=""
 
-    object="$(jq -n \
+    object="$(credential_preflight_jq -n \
         --arg category "$category" \
         --arg severity "warning" \
         --arg file "$(credential_preflight_display_path "$root" "$path")" \
@@ -508,7 +537,7 @@ credential_preflight_render_json() {
 
     findings_json="$(credential_preflight_json_array_from_objects "${CRED_PREFLIGHT_FINDINGS[@]}")"
     skipped_json="$(credential_preflight_json_array_from_objects "${CRED_PREFLIGHT_SKIPPED[@]}")"
-    categories_json="$(jq -n --argjson findings "$findings_json" '
+    categories_json="$(credential_preflight_jq -n --argjson findings "$findings_json" '
       $findings
       | group_by(.category)
       | map({category: .[0].category, count: length})
@@ -518,7 +547,7 @@ credential_preflight_render_json() {
         status="warn"
     fi
 
-    jq -n \
+    credential_preflight_jq -n \
         --arg generated_at "$CRED_PREFLIGHT_GENERATED_AT" \
         --arg status "$status" \
         --argjson files_scanned "$CRED_PREFLIGHT_FILES_SCANNED" \
@@ -563,7 +592,7 @@ credential_preflight_render_human() {
         "${#CRED_PREFLIGHT_FINDINGS[@]}" \
         "$CRED_PREFLIGHT_FILES_SCANNED"
     for object in "${CRED_PREFLIGHT_FINDINGS[@]}"; do
-        jq -r '"\(.file):\(.line): \(.category) - \(.evidence)\n  Remediation: \(.remediation)"' <<<"$object"
+        credential_preflight_jq -r '"\(.file):\(.line): \(.category) - \(.evidence)\n  Remediation: \(.remediation)"' <<<"$object"
     done
     if [[ ${#CRED_PREFLIGHT_SKIPPED[@]} -gt 0 ]]; then
         printf 'Skipped %d file(s); use --json for reasons.\n' "${#CRED_PREFLIGHT_SKIPPED[@]}"

tests/unit/test_credential_preflight.sh

@@ -176,6 +176,35 @@ PASSWORD=abc
     pass "benign_examples_pass"
 }
 
+test_uses_system_path_not_shadowed_tools() {
+    local test_dir="$ARTIFACT_DIR/path-shadow"
+    local fake_bin="$test_dir/bin"
+    local fixture="$test_dir/.env"
+    local output="$test_dir/output.json"
+    local marker="$test_dir/shadowed-tool-ran"
+    local binary_name=""
+
+    mkdir -p "$fake_bin"
+    write_fixture "$fixture" 'GITHUB_TOKEN=your-token-here'
+    for binary_name in date dirname jq; do
+        cat > "$fake_bin/$binary_name" <<'EOF'
+#!/usr/bin/env bash
+printf 'shadowed tool should not run: %s\n' "$0" > "$CRED_PREFLIGHT_POISON_MARKER"
+exit 99
+EOF
+        chmod +x "$fake_bin/$binary_name"
+    done
+
+    CRED_PREFLIGHT_POISON_MARKER="$marker" \
+        PATH="$fake_bin:/usr/bin:/bin" \
+        bash "$CREDENTIAL_PREFLIGHT_SH" --json --file "$fixture" > "$output" || return 1
+
+    [[ ! -e "$marker" ]] || return 1
+    jq -e '.status == "pass" and .summary.files_scanned == 1' "$output" >/dev/null || return 1
+
+    pass "uses_system_path_not_shadowed_tools"
+}
+
 test_detects_hex_encoded_secret_values_under_secret_keys() {
     local fixture="$ARTIFACT_DIR/hex-secret/.env"
     local output="$ARTIFACT_DIR/hex-secret.json"
@@ -347,6 +376,7 @@ main() {
     run_test test_secret_matrix_detects_categories_without_value_leaks
     run_test test_detects_private_key_marker
     run_test test_benign_examples_pass
+    run_test test_uses_system_path_not_shadowed_tools
     run_test test_detects_hex_encoded_secret_values_under_secret_keys
     run_test test_json_secret_value_detection_ignores_unrelated_placeholder_words
     run_test test_detects_later_secret_pairs_on_same_line