security(x402): sanitize ServiceOffer-sourced tokens in 402 copy-paste commands

spec.model.name and metadata.name flow from the ServiceOffer CR into
copy-pasteable 'obol buy inference ...' commands rendered on the public 402
page. A hostile or fat-fingered offer could smuggle shell metacharacters into
a command a reader might paste. Add sanitizeDisplayToken at the render
boundary: CR-sourced tokens must match the model-id/k8s-name charset
(^[A-Za-z0-9._:/-]+$) or collapse to the existing safe placeholder. Real ids
like qwen3.5:9b and anthropic/claude-3-5-sonnet-latest pass through unchanged.

Author: bussyjd

internal/x402/paymentrequired.go

@@ -8,11 +8,34 @@ import (
 	"html/template"
 	"math/big"
 	"net/http"
+	"regexp"
 	"strings"
 
 	x402types "github.com/coinbase/x402/go/types"
 )
 
+// displayTokenRe is the allowed charset for ServiceOffer-sourced strings
+// (offer name, model id) that get interpolated into copy-pasteable CLI
+// commands and prompts on the 402 page. It permits the model-id / k8s-name
+// vocabulary — alphanumerics plus `. _ : / -` — and nothing else, so shell
+// metacharacters can never reach a command a reader might paste.
+var displayTokenRe = regexp.MustCompile(`^[A-Za-z0-9._:/-]+$`)
+
+// sanitizeDisplayToken guards a CR-sourced string before it lands in a
+// copy-pasteable command on the public 402 page. A ServiceOffer is
+// operator-authored, but the page is served over the public tunnel, so a
+// hostile or fat-fingered spec.model.name / metadata.name must not smuggle
+// shell metacharacters into the rendered command. Anything that isn't a clean
+// model-id/k8s-name token (including empty/whitespace) collapses to the
+// caller's placeholder.
+func sanitizeDisplayToken(s, placeholder string) string {
+	s = strings.TrimSpace(s)
+	if s == "" || !displayTokenRe.MatchString(s) {
+		return placeholder
+	}
+	return s
+}
+
 //go:embed templates/payment_required.html
 var paymentRequiredHTMLSrc string
 
@@ -229,7 +252,7 @@ func sendPaymentRequiredHTML(w http.ResponseWriter, r *http.Request, requirement
 		NetworkLabel:        networkLabel,
 		PriceDisplay:        priceDisplay,
 		PayToDisplay:        payToDisplay,
-		PayToFull:            payToFull,
+		PayToFull:           payToFull,
 		ExplorerURL:         display.ExplorerURL,
 		OfferDescription:    display.OfferDescription,
 		Skills:              display.AgentSkills,
@@ -347,14 +370,8 @@ func normalizeOfferType(t string) string {
 // raw-JSON paths, but reframed so users understand they're buying remote
 // model time, not an agent with tools/memory.
 func inferenceCopy(url string, d PaymentDisplay) typeCopy {
-	model := strings.TrimSpace(d.Model)
-	if model == "" {
-		model = "<model-id>"
-	}
-	name := strings.TrimSpace(d.OfferName)
-	if name == "" {
-		name = "remote-inference"
-	}
+	model := sanitizeDisplayToken(d.Model, "<model-id>")
+	name := sanitizeDisplayToken(d.OfferName, "remote-inference")
 
 	cmd := fmt.Sprintf(
 		"obol buy inference %s \\\n  --seller %s \\\n  --model %s \\\n  --budget 1 \\\n  --no-verify-identity",
@@ -397,7 +414,7 @@ func inferenceCopy(url string, d PaymentDisplay) typeCopy {
 // example sits next to the raw x402 JSON in the Pay-manually card to
 // make the wire shape obvious to readers walking the spec by hand.
 func agentCopy(url string, d PaymentDisplay) typeCopy {
-	model := strings.TrimSpace(d.Model)
+	model := sanitizeDisplayToken(d.Model, "")
 	modelClause := ""
 	modelLine := ""
 	if model != "" {

internal/x402/paymentrequired_test.go

@@ -173,7 +173,7 @@ func TestHTMLAware_DegradeWithoutDisplay(t *testing.T) {
 	}
 	body := w.Body.String()
 	mustContain(t, body, "Payment required")
-	mustContain(t, body, "/anything") // endpoint falls back to URL.Path
+	mustContain(t, body, "/anything")           // endpoint falls back to URL.Path
 	mustContain(t, body, "1000 (atomic units)") // price falls back to atomic units
 }
 
@@ -367,3 +367,55 @@ func mustContain(t *testing.T, haystack, needle string) {
 		t.Errorf("body does not contain %q", needle)
 	}
 }
+
+// sanitizeDisplayToken must pass real model ids / offer names through
+// untouched while collapsing anything carrying shell metacharacters to the
+// placeholder — the values land in copy-pasteable commands on the public
+// 402 page.
+func TestSanitizeDisplayToken(t *testing.T) {
+	const ph = "<model-id>"
+	cases := []struct {
+		in   string
+		want string
+	}{
+		{"qwen3.5:9b", "qwen3.5:9b"},
+		{"AEON-7", "AEON-7"},
+		{"anthropic/claude-3-5-sonnet-latest", "anthropic/claude-3-5-sonnet-latest"},
+		{"gpt-5.4", "gpt-5.4"},
+		{"  qwen3.5:9b  ", "qwen3.5:9b"}, // trimmed
+		{"", ph},
+		{"   ", ph},
+		{"x; rm -rf ~", ph},
+		{"$(whoami)", ph},
+		{"a`id`b", ph},
+		{"a && b", ph},
+		{"a|b", ph},
+		{"a$b", ph},
+		{"a\nb", ph},
+		{`a"b`, ph},
+	}
+	for _, c := range cases {
+		if got := sanitizeDisplayToken(c.in, ph); got != c.want {
+			t.Errorf("sanitizeDisplayToken(%q) = %q, want %q", c.in, got, c.want)
+		}
+	}
+}
+
+// A hostile ServiceOffer must never get its raw spec.model.name /
+// metadata.name reflected into the rendered copy-paste command.
+func TestInferenceCopy_StripsShellMetacharsFromCommand(t *testing.T) {
+	d := PaymentDisplay{
+		OfferType: "inference",
+		Model:     "x; rm -rf ~",
+		OfferName: "a && curl evil",
+	}
+	c := inferenceCopy("https://agent.example.tunnel.dev/services/x", d)
+	for _, bad := range []string{"rm -rf", "&&", "curl evil", ";"} {
+		if strings.Contains(c.PrimaryPayload, bad) {
+			t.Fatalf("hostile token leaked into command payload %q (contains %q)", c.PrimaryPayload, bad)
+		}
+	}
+	// Falls back to the safe placeholders instead.
+	mustContain(t, c.PrimaryPayload, "--model <model-id>")
+	mustContain(t, c.PrimaryPayload, "obol buy inference remote-inference")
+}