Prevent remote code execution in the terraform block

maor-rozenfeld · maor-rozenfeld · commit 86d0274048e6 · 2025-12-12T12:52:40.000+01:00
diff --git a/packages/blocks/terraform/src/lib/hcledit-cli.ts b/packages/blocks/terraform/src/lib/hcledit-cli.ts
@@ -7,12 +7,26 @@ export interface TerraformResource {
   type: string;
 }
 
+const SAFE_IDENTIFIER_PATTERN = /^[a-zA-Z0-9_-]+$/;
+
+function validateIdentifier(value: string, fieldName: string): void {
+  if (!value || !SAFE_IDENTIFIER_PATTERN.test(value)) {
+    throw new Error(
+      `${fieldName} contains invalid characters. Only alphanumeric, underscore, and hyphen are allowed. Received: ${value}`,
+    );
+  }
+}
+
+function escapeShellArgument(value: string): string {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+
 export async function getResources(
   template: string,
 ): Promise<TerraformResource[]> {
   const commandResult = await useTempFile(template, async (filePath) => {
     return await executeHclEditCommand(
-      `-f ${filePath} block get resource | hcledit block list`,
+      `-f ${escapeShellArgument(filePath)} block get resource | hcledit block list`,
     );
   });
 
@@ -35,15 +49,29 @@ export async function getResources(
     return [];
   }
 
-  const resources = commandResult.stdOut.split('\n').map((line) => {
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const [_, type, name] = line.split('.').map((value) => value.trim());
-
-    return {
-      name: name,
-      type: type,
-    };
-  });
+  const resources = commandResult.stdOut
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0)
+    .map((line) => {
+      const [blockType, type, name] = line
+        .split('.')
+        .map((value) => value.trim());
+
+      if (blockType !== 'resource' || !type || !name) {
+        throw new Error(
+          `Unexpected resource format received from hcledit. Line: ${line}`,
+        );
+      }
+
+      validateIdentifier(type, 'Resource type');
+      validateIdentifier(name, 'Resource name');
+
+      return {
+        name,
+        type,
+      };
+    });
 
   return resources;
 }
@@ -54,13 +82,21 @@ export async function updateResourceProperties(
   resourceName: string,
   modifications: { propertyName: string; propertyValue: string }[],
 ): Promise<string> {
+  validateIdentifier(resourceType, 'Resource type');
+  validateIdentifier(resourceName, 'Resource name');
+
+  modifications.forEach((modification, index) => {
+    validateIdentifier(modification.propertyName, `Property name at index ${index}`);
+  });
+
   const providedTemplate = template.trim() as string;
 
   const result = await useTempFile(providedTemplate, async (filePath) => {
     const updates = [];
     for (const modification of modifications) {
       const propertyName = modification.propertyName;
       const propertyValue = sanitizePropertyValue(modification.propertyValue);
+      const safePropertyValue = escapeShellArgument(propertyValue);
 
       const attributeCommand = await getAttributeCommand(
         filePath,
@@ -70,7 +106,7 @@ export async function updateResourceProperties(
       );
 
       updates.push(
-        `attribute ${attributeCommand} resource.${resourceType}.${resourceName}.${propertyName} ${propertyValue}`,
+        `attribute ${attributeCommand} resource.${resourceType}.${resourceName}.${propertyName} ${safePropertyValue}`,
       );
     }
 
@@ -88,6 +124,13 @@ export async function updateVariablesFile(
 ): Promise<string> {
   const providedTemplate = template.trim();
 
+  modifications.forEach((modification, index) => {
+    validateIdentifier(
+      modification.variableName,
+      `Variable name at index ${index}`,
+    );
+  });
+
   return await useTempFile(providedTemplate, async (filePath) => {
     const updates = [];
 
@@ -107,9 +150,12 @@ export async function deleteResource(
   resourceType: string,
   resourceName: string,
 ): Promise<string> {
+  validateIdentifier(resourceType, 'Resource type');
+  validateIdentifier(resourceName, 'Resource name');
+
   const commandResult = await useTempFile(template, async (filePath) => {
     return await executeHclEditCommand(
-      `-f ${filePath} block rm resource.${resourceType}.${resourceName}`,
+      `-f ${escapeShellArgument(filePath)} block rm resource.${resourceType}.${resourceName}`,
     );
   });
 
@@ -131,7 +177,9 @@ export async function listBlocksCommand(
   template: string,
 ): Promise<CommandResult> {
   return await useTempFile(template, async (filePath) => {
-    return await executeHclEditCommand(`-f ${filePath} block list`);
+    return await executeHclEditCommand(
+      `-f ${escapeShellArgument(filePath)} block list`,
+    );
   });
 }
 
@@ -141,7 +189,7 @@ async function getAttributeCommand(
   resourceName: string,
   propertyName: string,
 ): Promise<string> {
-  const command = `-f ${filePath} attribute get resource.${resourceType}.${resourceName}.${propertyName}`;
+  const command = `-f ${escapeShellArgument(filePath)} attribute get resource.${resourceType}.${resourceName}.${propertyName}`;
 
   const commandResult = await executeHclEditCommand(command);
 
@@ -160,7 +208,7 @@ async function updateTemplateCommand(
   filePath: string,
   modifications: string[],
 ): Promise<string> {
-  const command = `-f ${filePath} ${modifications.join(' | hcledit ')}`;
+  const command = `-f ${escapeShellArgument(filePath)} ${modifications.join(' | hcledit ')}`;
 
   const commandResult = await executeHclEditCommand(command);
 
diff --git a/packages/blocks/terraform/test/hcledit-cli.test.ts b/packages/blocks/terraform/test/hcledit-cli.test.ts
@@ -79,6 +79,19 @@ describe('Get Resources', () => {
       'Failed to execute the command to get resources.',
     );
   });
+
+  test('should throw when resource identifiers contain invalid characters', async () => {
+    mockExecuteCommand.mockResolvedValue({
+      exitCode: 0,
+      stdOut: 'resource.aws_instance.example;rm -rf /',
+      stdError: '',
+    });
+
+    await expect(getResources(testTemplate)).rejects.toThrow(
+      'Resource name contains invalid characters',
+    );
+    expect(mockExecuteCommand).toHaveBeenCalledTimes(1);
+  });
 });
 
 describe('Update Resource Properties', () => {
@@ -102,6 +115,8 @@ describe('Update Resource Properties', () => {
         { propertyName: 'property_name1', propertyValue: setPropertyValue },
         { propertyName: 'property_name2', propertyValue: appendPropertyValue },
       ];
+      const setValueArgument = `'${setPropertyValueExpected}'`;
+      const appendValueArgument = `'${appendPropertyValueExpected}'`;
 
       mockExecuteCommand
         .mockResolvedValueOnce({
@@ -146,7 +161,7 @@ describe('Update Resource Properties', () => {
         '/bin/bash',
         expect.arrayContaining([
           expect.stringContaining(
-            `attribute set resource.aws_instance.example.property_name1 ${setPropertyValueExpected} | hcledit attribute append resource.aws_instance.example.property_name2 ${appendPropertyValueExpected}`,
+            `attribute set resource.aws_instance.example.property_name1 ${setValueArgument} | hcledit attribute append resource.aws_instance.example.property_name2 ${appendValueArgument}`,
           ),
         ]),
       );
@@ -175,6 +190,73 @@ describe('Update Resource Properties', () => {
       'Failed to modify the template. {"exitCode":1,"stdOut":"","stdError":"Error"}',
     );
   });
+
+  test('should escape property values to prevent shell injection', async () => {
+    const modifications = [
+      { propertyName: 'property_name1', propertyValue: 'value; $(whoami)' },
+    ];
+
+    mockExecuteCommand
+      .mockResolvedValueOnce({ exitCode: 1, stdOut: '', stdError: 'missing' })
+      .mockResolvedValueOnce({ exitCode: 0, stdOut: 'result', stdError: '' });
+
+    const result = await updateResourceProperties(
+      testTemplate,
+      'aws_instance',
+      'example',
+      modifications,
+    );
+
+    expect(result).toContain('result');
+    const executedCommand = mockExecuteCommand.mock.calls[1][1][1];
+    expect(executedCommand).toContain(
+      `resource.aws_instance.example.property_name1 '\\"value; $(whoami)\\"'`,
+    );
+  });
+
+  test.each([
+    {
+      description: 'resource type contains invalid characters',
+      resourceType: 'aws_instance; rm -rf /',
+      resourceName: 'example',
+      propertyName: 'property_name1',
+      expectedMessage: 'Resource type contains invalid characters',
+    },
+    {
+      description: 'resource name contains invalid characters',
+      resourceType: 'aws_instance',
+      resourceName: 'example; rm -rf /',
+      propertyName: 'property_name1',
+      expectedMessage: 'Resource name contains invalid characters',
+    },
+    {
+      description: 'property name contains invalid characters',
+      resourceType: 'aws_instance',
+      resourceName: 'example',
+      propertyName: 'property;name',
+      expectedMessage: 'Property name at index 0 contains invalid characters',
+    },
+  ])(
+    'should throw when $description',
+    async ({
+      description,
+      resourceType,
+      resourceName,
+      propertyName,
+      expectedMessage,
+    }) => {
+      await expect(
+        updateResourceProperties(
+          testTemplate,
+          resourceType,
+          resourceName,
+          [{ propertyName, propertyValue: 'value' }],
+        ),
+      ).rejects.toThrow(expectedMessage);
+      expect(mockExecuteCommand).not.toHaveBeenCalled();
+      expect(mockWriteFile).not.toHaveBeenCalled();
+    },
+  );
 });
 
 describe('Delete Resource', () => {
@@ -219,6 +301,14 @@ describe('Delete Resource', () => {
       'Failed to modify the template. {"exitCode":1,"stdOut":"","stdError":"Error"}',
     );
   });
+
+  test('should reject unsafe resource identifiers when deleting', async () => {
+    await expect(
+      deleteResource(testTemplate, 'aws_instance', 'example; rm -rf /'),
+    ).rejects.toThrow('Resource name contains invalid characters');
+    expect(mockExecuteCommand).not.toHaveBeenCalled();
+    expect(mockWriteFile).not.toHaveBeenCalled();
+  });
 });
 
 describe('Update Variables File', () => {
@@ -266,6 +356,14 @@ describe('Update Variables File', () => {
       'Failed to modify the template. {"exitCode":1,"stdOut":"","stdError":"err"}',
     );
   });
+
+  test('should reject invalid variable names', async () => {
+    await expect(
+      updateVariablesFile('a=1', [{ variableName: 'name; rm -rf /', variableValue: 3 }]),
+    ).rejects.toThrow('Variable name at index 0 contains invalid characters');
+    expect(mockExecuteCommand).not.toHaveBeenCalled();
+    expect(mockWriteFile).not.toHaveBeenCalled();
+  });
 });
 
 describe('List Blocks Command', () => {
