Problem
Several ops scripts execute .env with shell source semantics.
Evidence:
ops/runtime-cli.sh:5-10ops/runtime-bootstrap.sh:9-14ops/bot.sh:10-15ops/harness.sh:7-12ops/marketing-runtime-bootstrap.sh:10-15ops/marketing-runtime-cli.sh:5-10
All use set -a; . "$ENV_FILE"; set +a.
Impact
If .env or PATINA_ENV_FILE is writable or attacker-controlled, running these scripts executes arbitrary shell code before validation. These scripts can configure runtime, access Discord tokens, and launch autonomous agents.
Suggested fix
- Replace shell sourcing with a strict key=value parser
- Reuse the safer parsing style from
ops/component-bridge.mjs:11-34
- Reject unsupported syntax such as command substitution, semicolons, and multiline shell
- Check
.env ownership and reject group/world-writable files where practical
Validation
.env values still load for normal KEY=value and quoted values- A malicious
.env line like X=$(touch /tmp/pwned) is not executed
Problem
Several ops scripts execute
.envwith shellsourcesemantics.Evidence:
ops/runtime-cli.sh:5-10ops/runtime-bootstrap.sh:9-14ops/bot.sh:10-15ops/harness.sh:7-12ops/marketing-runtime-bootstrap.sh:10-15ops/marketing-runtime-cli.sh:5-10All use
set -a; . "$ENV_FILE"; set +a.Impact
If
.envorPATINA_ENV_FILEis writable or attacker-controlled, running these scripts executes arbitrary shell code before validation. These scripts can configure runtime, access Discord tokens, and launch autonomous agents.Suggested fix
ops/component-bridge.mjs:11-34.envownership and reject group/world-writable files where practicalValidation
.envvalues still load for normalKEY=valueand quoted values.envline likeX=$(touch /tmp/pwned)is not executed