Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in process throttling #477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Theory903 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix command injection in process throttling #477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,8 @@
**Vulnerability:** Hardcoded API key ("ippoc-secret-key") used as default in `src/cortex/cortex/server.py`.
**Learning:** Default configurations for development often make their way into production or expose systems during testing if not explicitly overridden. The system relied on a specific hardcoded string for default auth, which is a Critical vulnerability (CWE-798).
**Prevention:** Never provide a hardcoded default for secrets. If a secret is missing, either generate a secure random one at runtime (fail-safe) or refuse to start (fail-secure).

## 2025-06-19 - Command Injection in Process Throttling
**Vulnerability:** Found `cp.exec(\`renice +10 -p ${signal.payload.pid}\`)` in `thalamus.ts` which allowed command injection via an unvalidated `pid` payload.
**Learning:** Using `child_process.exec` with unvalidated user input creates severe command injection vulnerabilities. Replacing it with `child_process.execFile` neutralizes the threat, but an error callback is required to prevent unhandled promise rejections on spawn failures.
**Prevention:** Always use `execFile` or `spawn` with an array of arguments instead of string concatenation in `exec`. Always provide error callbacks for detached executions.
4 changes: 3 additions & 1 deletion infra/src/cortex/cortex/openclaw-cortex/src/agents/thalamus.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,9 @@ export class Thalamus {
// Requires permissions, but this is the intent
// In a real env, we might wrap this in a sudo-helper or just log it if permission denied
import("child_process").then(cp => {
cp.exec(`renice +10 -p ${signal.payload.pid}`);
cp.execFile('renice', ['+10', '-p', String(signal.payload.pid)], (error) => {
if (error) console.error("Failed to renice:", error);
});
Comment on lines +79 to +81

@coderabbitai coderabbitai Bot Jun 19, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate thalamus JS files and check renice execution style =="
fd -i 'thalamus\.js$' | while read -r f; do
  echo "--- $f ---"
  rg -n "HIGH_CPU_USAGE|renice|cp\\.exec\\(|cp\\.execFile\\(" "$f" || true
done

echo
echo "== Locate imports/requires that could resolve to thalamus.js at runtime =="
rg -nP -C2 "(from\\s+['\"][^'\"]*thalamus(\\.js)?['\"]|require\\(['\"][^'\"]*thalamus(\\.js)?['\"]\\))"

echo
echo "== Check whether build artifacts are tracked =="
fd -i 'thalamus\.js$' | xargs -r git ls-files

Repository: Theory903/open-ippoc

Length of output: 3432

The TS fix is correct, but vulnerable JS versions still exist and are tracked by git in three locations.

The change from cp.exec() to cp.execFile() in the TS file is correct. However, the vulnerability persists in committed JS files:

  • infra/src/cortex/cortex/openclaw-cortex/src/agents/thalamus.js:61 (cp.exec with interpolation)
  • src/cortex/cortex/openclaw-cortex/openclaw-cortex/src/agents/thalamus.js:61
  • src/ippoc/cortex/cortex/openclaw-cortex/src/agents/thalamus.js:61

All three are tracked by git and contain the command injection risk. Remove these stale JS files or confirm they are not reachable at runtime. If they were generated from an older TS build, ensure your build/deployment process regenerates them from the fixed TS source and verifies they use execFile.

πŸ€– Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@infra/src/cortex/cortex/openclaw-cortex/src/agents/thalamus.ts` around lines
79 - 81, Although the TypeScript file thalamus.ts has been correctly fixed to
use cp.execFile() instead of the vulnerable cp.exec(), three compiled JavaScript
files still contain the old vulnerable cp.exec() implementation:
infra/src/cortex/cortex/openclaw-cortex/src/agents/thalamus.js at line 61,
src/cortex/cortex/openclaw-cortex/openclaw-cortex/src/agents/thalamus.js at line
61, and src/ippoc/cortex/cortex/openclaw-cortex/src/agents/thalamus.js at line
61. Either remove these stale JS files if they are generated artifacts no longer
needed, or regenerate them from the corrected TypeScript source to ensure they
use execFile instead of exec. Verify your build and deployment pipeline
automatically regenerates JS files from the TS source to prevent this mismatch
from recurring.

});
return `REFLEX: Throttled process ${signal.payload.pid} (renice +10)`;
} catch (e) {
Expand Down
4 changes: 3 additions & 1 deletion src/cortex/cortex/openclaw-cortex/openclaw-cortex/src/agents/thalamus.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,9 @@ export class Thalamus {
// Requires permissions, but this is the intent
// In a real env, we might wrap this in a sudo-helper or just log it if permission denied
import("child_process").then(cp => {
cp.exec(`renice +10 -p ${signal.payload.pid}`);
cp.execFile('renice', ['+10', '-p', String(signal.payload.pid)], (error) => {
if (error) console.error("Failed to renice:", error);
});
});
return `REFLEX: Throttled process ${signal.payload.pid} (renice +10)`;
} catch (e) {
Expand Down
4 changes: 3 additions & 1 deletion src/ippoc/cortex/cortex/openclaw-cortex/src/agents/thalamus.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,9 @@ export class Thalamus {
// Requires permissions, but this is the intent
// In a real env, we might wrap this in a sudo-helper or just log it if permission denied
import("child_process").then(cp => {
cp.exec(`renice +10 -p ${signal.payload.pid}`);
cp.execFile('renice', ['+10', '-p', String(signal.payload.pid)], (error) => {
if (error) console.error("Failed to renice:", error);
});
});
return `REFLEX: Throttled process ${signal.payload.pid} (renice +10)`;
} catch (e) {
Expand Down
Loading