fix(security): harden sandbox command execution

Rebase the sandbox command-hardening changes onto current main.
Add argv-based sandbox command checks and align the onboarding
harness with the hardened dashboard and DNS helper calls.

Author: 13ernkastel

bin/lib/onboard.js

@@ -18,7 +18,16 @@ function envInt(name, fallback) {
   const n = Number(raw);
   return Number.isFinite(n) ? Math.max(0, Math.round(n)) : fallback;
 }
-const { ROOT, SCRIPTS, redact, run, runCapture, shellQuote } = require("./runner");
+const {
+  ROOT,
+  SCRIPTS,
+  redact,
+  run,
+  runCapture,
+  runFile,
+  shellQuote,
+  validateName,
+} = require("./runner");
 const {
   getDefaultOllamaModel,
   getBootstrapOllamaModelOptions,
@@ -2389,15 +2398,14 @@ async function promptValidatedSandboxName() {
       "NEMOCLAW_SANDBOX_NAME",
       "my-assistant",
     );
-    const sandboxName = (nameAnswer || "my-assistant").trim().toLowerCase();
+    const sandboxName = (nameAnswer || "my-assistant").trim();
 
-    // Validate: RFC 1123 subdomain — lowercase alphanumeric and hyphens,
-    // must start and end with alphanumeric (required by Kubernetes/OpenShell)
-    if (/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/.test(sandboxName)) {
-      return sandboxName;
+    try {
+      return validateName(sandboxName, "sandbox name");
+    } catch (error) {
+      console.error(`  ${error.message}`);
     }
 
-    console.error(`  Invalid sandbox name: '${sandboxName}'`);
     console.error("  Names must be lowercase, contain only letters, numbers, and hyphens,");
     console.error("  and must start and end with a letter or number.");
 
@@ -2424,7 +2432,10 @@ async function createSandbox(
 ) {
   step(5, 7, "Creating sandbox");
 
-  const sandboxName = sandboxNameOverride || (await promptValidatedSandboxName());
+  const sandboxName = validateName(
+    sandboxNameOverride ?? (await promptValidatedSandboxName()),
+    "sandbox name",
+  );
   const chatUiUrl = process.env.CHAT_UI_URL || `http://127.0.0.1:${CONTROL_UI_PORT}`;
 
   // Reconcile local registry state with the live OpenShell gateway state.
@@ -2583,11 +2594,11 @@ async function createSandbox(
   // or seeing 502/503 errors during initial load.
   console.log("  Waiting for NemoClaw dashboard to become ready...");
   for (let i = 0; i < 15; i++) {
-    const readyMatch = runCapture(
-      `openshell sandbox exec ${sandboxName} curl -sf http://localhost:18789/ 2>/dev/null || echo "no"`,
+    const readyMatch = runCaptureOpenshell(
+      ["sandbox", "exec", sandboxName, "curl", "-sf", `http://localhost:${CONTROL_UI_PORT}/`],
       { ignoreError: true },
     );
-    if (readyMatch && !readyMatch.includes("no")) {
+    if (readyMatch) {
       console.log("  ✓ Dashboard is live");
       break;
     }
@@ -2612,10 +2623,9 @@ async function createSandbox(
   // DNS proxy — run a forwarder in the sandbox pod so the isolated
   // sandbox namespace can resolve hostnames (fixes #626).
   console.log("  Setting up sandbox DNS proxy...");
-  run(
-    `bash "${path.join(SCRIPTS, "setup-dns-proxy.sh")}" ${GATEWAY_NAME} "${sandboxName}" 2>&1 || true`,
-    { ignoreError: true },
-  );
+  runFile("bash", [path.join(SCRIPTS, "setup-dns-proxy.sh"), GATEWAY_NAME, sandboxName], {
+    ignoreError: true,
+  });
 
   console.log(`  ✓ Sandbox '${sandboxName}' created`);
   return sandboxName;

bin/lib/runner.js

@@ -57,6 +57,30 @@ function runInteractive(cmd, opts = {}) {
   return result;
 }
 
+/**
+ * Run a program directly with argv-style arguments, bypassing shell parsing.
+ * Exits the process on failure unless opts.ignoreError is true.
+ */
+function runFile(file, args = [], opts = {}) {
+  const stdio = opts.stdio ?? ["ignore", "pipe", "pipe"];
+  const normalizedArgs = args.map((arg) => String(arg));
+  const result = spawnSync(file, normalizedArgs, {
+    ...opts,
+    stdio,
+    cwd: ROOT,
+    env: { ...process.env, ...opts.env },
+  });
+  if (!opts.suppressOutput) {
+    writeRedactedResult(result, stdio);
+  }
+  if (result.status !== 0 && !opts.ignoreError) {
+    const rendered = [shellQuote(file), ...normalizedArgs.map((arg) => shellQuote(arg))].join(" ");
+    console.error(`  Command failed (exit ${result.status}): ${redact(rendered).slice(0, 80)}`);
+    process.exit(result.status || 1);
+  }
+  return result;
+}
+
 /**
  * Run a shell command and return its stdout as a trimmed string.
  * Throws a redacted error on failure, or returns '' when opts.ignoreError is true.
@@ -200,6 +224,7 @@ module.exports = {
   redact,
   run,
   runCapture,
+  runFile,
   runInteractive,
   shellQuote,
   validateName,

src/lib/onboard-session.test.ts

@@ -120,6 +120,20 @@ describe("onboard session", () => {
     expect(loaded.metadata.token).toBeUndefined();
   });
 
+  it("persists and clears web search config through safe session updates", () => {
+    session.saveSession(session.createSession());
+    session.markStepComplete("provider_selection", {
+      webSearchConfig: { fetchEnabled: true },
+    });
+
+    let loaded = session.loadSession();
+    expect(loaded.webSearchConfig).toEqual({ fetchEnabled: true });
+
+    session.completeSession({ webSearchConfig: null });
+    loaded = session.loadSession();
+    expect(loaded.webSearchConfig).toBeNull();
+  });
+
   it("does not clear existing metadata when updates omit whitelisted metadata fields", () => {
     session.saveSession(session.createSession({ metadata: { gatewayName: "nemoclaw" } }));
     session.markStepComplete("provider_selection", {

test/onboard.test.js

@@ -1315,10 +1315,20 @@ runner.run = (command, opts = {}) => {
   commands.push({ command, env: opts.env || null });
   return { status: 0 };
 };
+runner.runFile = (file, args = [], opts = {}) => {
+  commands.push({ type: "runFile", file, args, env: opts.env || null });
+  return { status: 0 };
+};
 runner.runCapture = (command) => {
   if (command.includes("'sandbox' 'get' 'my-assistant'")) return "";
   if (command.includes("'sandbox' 'list'")) return "my-assistant Ready";
-  if (command.includes("sandbox exec my-assistant curl -sf http://localhost:18789/")) return "ok";
+  if (
+    command.includes(
+      "'sandbox' 'exec' 'my-assistant' 'curl' '-sf' 'http://localhost:18789/'",
+    )
+  ) {
+    return "ok";
+  }
   return "";
 };
 registry.registerSandbox = () => true;
@@ -1390,6 +1400,74 @@ const { createSandbox } = require(${onboardPath});
     );
   });
 
+  it("rejects a whitespace-only sandboxNameOverride before any shell helpers run", async () => {
+    const repoRoot = path.join(import.meta.dirname, "..");
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-onboard-blank-override-"));
+    const scriptPath = path.join(tmpDir, "blank-sandbox-override.js");
+    const onboardPath = JSON.stringify(path.join(repoRoot, "bin", "lib", "onboard.js"));
+    const runnerPath = JSON.stringify(path.join(repoRoot, "bin", "lib", "runner.js"));
+    const registryPath = JSON.stringify(path.join(repoRoot, "bin", "lib", "registry.js"));
+    const preflightPath = JSON.stringify(path.join(repoRoot, "bin", "lib", "preflight.js"));
+    const credentialsPath = JSON.stringify(path.join(repoRoot, "bin", "lib", "credentials.js"));
+
+    const script = String.raw`
+const runner = require(${runnerPath});
+const registry = require(${registryPath});
+const preflight = require(${preflightPath});
+const credentials = require(${credentialsPath});
+
+const commands = [];
+runner.run = (command, opts = {}) => {
+  commands.push({ type: "run", command, env: opts.env || null });
+  return { status: 0 };
+};
+runner.runFile = (file, args = [], opts = {}) => {
+  commands.push({ type: "runFile", file, args, env: opts.env || null });
+  return { status: 0 };
+};
+runner.runCapture = (command) => {
+  commands.push({ type: "runCapture", command });
+  return "";
+};
+registry.registerSandbox = () => true;
+registry.removeSandbox = () => true;
+preflight.checkPortAvailable = async () => ({ ok: true });
+credentials.prompt = async () => {
+  throw new Error("prompt should not be reached for an explicit override");
+};
+
+const { createSandbox } = require(${onboardPath});
+
+(async () => {
+  try {
+    await createSandbox(null, "gpt-5.4", "nvidia-prod", null, "   ");
+    console.log(JSON.stringify({ ok: true, commands }));
+  } catch (error) {
+    console.log(JSON.stringify({ ok: false, message: error.message, commands }));
+  }
+})().catch((error) => {
+  console.error(error);
+  process.exit(1);
+});
+`;
+    fs.writeFileSync(scriptPath, script);
+
+    const result = spawnSync(process.execPath, [scriptPath], {
+      cwd: repoRoot,
+      encoding: "utf-8",
+      env: {
+        ...process.env,
+        HOME: tmpDir,
+      },
+    });
+
+    assert.equal(result.status, 0, result.stderr);
+    const payload = JSON.parse(result.stdout.trim().split("\n").pop());
+    assert.equal(payload.ok, false);
+    assert.match(payload.message, /Invalid sandbox name/);
+    assert.deepEqual(payload.commands, []);
+  });
+
   it("binds the dashboard forward to 0.0.0.0 when CHAT_UI_URL points to a remote host", async () => {
     const repoRoot = path.join(import.meta.dirname, "..");
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-onboard-remote-forward-"));
@@ -1419,10 +1497,20 @@ runner.run = (command, opts = {}) => {
   commands.push({ command, env: opts.env || null });
   return { status: 0 };
 };
+runner.runFile = (file, args = [], opts = {}) => {
+  commands.push({ type: "runFile", file, args, env: opts.env || null });
+  return { status: 0 };
+};
 runner.runCapture = (command) => {
   if (command.includes("'sandbox' 'get' 'my-assistant'")) return "";
   if (command.includes("'sandbox' 'list'")) return "my-assistant Ready";
-  if (command.includes("sandbox exec my-assistant curl -sf http://localhost:18789/")) return "ok";
+  if (
+    command.includes(
+      "'sandbox' 'exec' 'my-assistant' 'curl' '-sf' 'http://localhost:18789/'",
+    )
+  ) {
+    return "ok";
+  }
   return "";
 };
 registry.registerSandbox = () => true;
@@ -1510,13 +1598,23 @@ runner.run = (command, opts = {}) => {
   commands.push({ command, env: opts.env || null });
   return { status: 0 };
 };
+runner.runFile = (file, args = [], opts = {}) => {
+  commands.push({ type: "runFile", file, args, env: opts.env || null });
+  return { status: 0 };
+};
 runner.runCapture = (command) => {
   if (command.includes("'sandbox' 'get' 'my-assistant'")) return "";
   if (command.includes("'sandbox' 'list'")) {
     sandboxListCalls += 1;
     return sandboxListCalls >= 2 ? "my-assistant Ready" : "my-assistant Pending";
   }
-  if (command.includes("sandbox exec my-assistant curl -sf http://localhost:18789/")) return "ok";
+  if (
+    command.includes(
+      "'sandbox' 'exec' 'my-assistant' 'curl' '-sf' 'http://localhost:18789/'",
+    )
+  ) {
+    return "ok";
+  }
   return "";
 };
 registry.registerSandbox = () => true;

test/registry.test.js

@@ -107,6 +107,25 @@ describe("registry", () => {
     expect(data.defaultSandbox).toBe("persist");
   });
 
+  it("clearAll removes persisted sandboxes and the default pointer", () => {
+    registry.registerSandbox({ name: "alpha", model: "m1" });
+    registry.registerSandbox({ name: "beta", model: "m2" });
+    registry.setDefault("beta");
+
+    registry.clearAll();
+
+    expect(registry.listSandboxes()).toEqual({
+      sandboxes: [],
+      defaultSandbox: null,
+    });
+    expect(registry.getDefault()).toBe(null);
+    expect(registry.getSandbox("alpha")).toBe(null);
+    expect(JSON.parse(fs.readFileSync(regFile, "utf-8"))).toEqual({
+      sandboxes: {},
+      defaultSandbox: null,
+    });
+  });
+
   it("handles corrupt registry file gracefully", () => {
     fs.mkdirSync(path.dirname(regFile), { recursive: true });
     fs.writeFileSync(regFile, "NOT JSON");

test/runner.test.js

@@ -56,6 +56,55 @@ describe("runner helpers", () => {
     expect(calls[0][2].stdio).toEqual(["ignore", "pipe", "pipe"]);
     expect(calls[1][2].stdio).toEqual(["inherit", "pipe", "pipe"]);
   });
+  it("runs argv-style commands without going through bash -c", () => {
+    const calls = [];
+    const originalSpawnSync = childProcess.spawnSync;
+    // @ts-expect-error — intentional partial mock for testing
+    childProcess.spawnSync = (...args) => {
+      calls.push(args);
+      return { status: 0, stdout: "", stderr: "" };
+    };
+
+    try {
+      delete require.cache[require.resolve(runnerPath)];
+      const { runFile } = require(runnerPath);
+      runFile("bash", ["/tmp/setup.sh", "safe;name", "$(id)"]);
+    } finally {
+      childProcess.spawnSync = originalSpawnSync;
+      delete require.cache[require.resolve(runnerPath)];
+    }
+
+    expect(calls).toHaveLength(1);
+    expect(calls[0][0]).toBe("bash");
+    expect(calls[0][1]).toEqual(["/tmp/setup.sh", "safe;name", "$(id)"]);
+    expect(calls[0][2].stdio).toEqual(["ignore", "pipe", "pipe"]);
+  });
+
+  it("honors suppressOutput for argv-style commands", () => {
+    const originalSpawnSync = childProcess.spawnSync;
+    const stdoutSpy = vi.spyOn(process.stdout, "write").mockImplementation(() => true);
+    const stderrSpy = vi.spyOn(process.stderr, "write").mockImplementation(() => true);
+    // @ts-expect-error — intentional partial mock for testing
+    childProcess.spawnSync = () => ({
+      status: 0,
+      stdout: "safe stdout\n",
+      stderr: "safe stderr\n",
+    });
+
+    try {
+      delete require.cache[require.resolve(runnerPath)];
+      const { runFile } = require(runnerPath);
+      runFile("bash", ["/tmp/setup.sh"], { suppressOutput: true });
+    } finally {
+      childProcess.spawnSync = originalSpawnSync;
+      stdoutSpy.mockRestore();
+      stderrSpy.mockRestore();
+      delete require.cache[require.resolve(runnerPath)];
+    }
+
+    expect(stdoutSpy).not.toHaveBeenCalled();
+    expect(stderrSpy).not.toHaveBeenCalled();
+  });
 });
 
 describe("runner env merging", () => {