fix(console): shell-escape zmx session name

deevus · deevus · commit 7791915ce150 · 2026-04-29T17:26:14.000+10:00
Defense-in-depth against shell injection via the --session flag. Although validSessionName already restricts the value to a safe character set, escaping at the point of use protects against future regex changes or callers that bypass the regex. Fixes #9
diff --git a/cmd/console.go b/cmd/console.go
@@ -6,6 +6,7 @@ import (
 	"regexp"
 	"time"
 
+	"al.essio.dev/pkg/shellescape"
 	"github.com/briandowns/spinner"
 	"github.com/spf13/cobra"
 
@@ -104,7 +105,14 @@ func zmxRemoteCmdViaSandbox(ctx context.Context, sb sandbox.Sandbox, name, sessi
 		Cmd: []string{"sh", "-c", "command -v zmx >/dev/null 2>&1"},
 	})
 	if err == nil && code == 0 {
-		return []string{"sh", "-lc", "unset XDG_RUNTIME_DIR && zmx attach " + session + " bash -l"}
+		return zmxAttachCmd(session)
 	}
 	return nil
 }
+
+// zmxAttachCmd builds the shell command that attaches to a zmx session.
+// The session name is shell-escaped for defense-in-depth even though
+// validSessionName already restricts it to a safe character set.
+func zmxAttachCmd(session string) []string {
+	return []string{"sh", "-lc", "unset XDG_RUNTIME_DIR && zmx attach " + shellescape.Quote(session) + " bash -l"}
+}
diff --git a/cmd/console_test.go b/cmd/console_test.go
@@ -0,0 +1,37 @@
+package cmd
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestZmxAttachCmdEscapesSession(t *testing.T) {
+	tests := []struct {
+		name     string
+		session  string
+		contains string
+	}{
+		{"plain", "console", "zmx attach console bash -l"},
+		{"with-dash", "my-session", "zmx attach my-session bash -l"},
+		{"with-dot", "test.1", "zmx attach test.1 bash -l"},
+		{"semicolon", "foo;rm -rf /", "zmx attach 'foo;rm -rf /' bash -l"},
+		{"backtick", "foo`id`", "zmx attach 'foo`id`' bash -l"},
+		{"dollar", "foo$(id)", "zmx attach 'foo$(id)' bash -l"},
+		{"single-quote", "foo'bar", `zmx attach 'foo'"'"'bar' bash -l`},
+		{"space", "foo bar", "zmx attach 'foo bar' bash -l"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := zmxAttachCmd(tt.session)
+			if len(got) != 3 {
+				t.Fatalf("zmxAttachCmd returned %d args, want 3", len(got))
+			}
+			if got[0] != "sh" || got[1] != "-lc" {
+				t.Errorf("zmxAttachCmd prefix = %q %q, want sh -lc", got[0], got[1])
+			}
+			if !strings.Contains(got[2], tt.contains) {
+				t.Errorf("zmxAttachCmd(%q)[2] = %q, want substring %q", tt.session, got[2], tt.contains)
+			}
+		})
+	}
+}
