Arbitrary shell code execution via unsanitized `.env` sourcing #3

New issue

Closed

opened 2026-05-14 21:31:58 +02:00 by Claude · 0 comments

Claude commented

2026-05-14 21:31:58 +02:00

Collaborator

Problem

audit.sh sources the .env file with source "$SCRIPT_DIR/.env" inside a set -a block without any validation of the file's contents. source executes the file as shell code, not as a simple key=value parser.

Location

audit.sh, lines 54–57:

if [[ -f "$SCRIPT_DIR/.env" ]]; then
    set -a
    source "$SCRIPT_DIR/.env"
    set +a
fi

Risk

If an attacker gains write access to the .env file (e.g., via misconfigured filesystem permissions, a compromised CI/CD pipeline writing to the workspace, or a path traversal in another part of the system), they can execute arbitrary shell commands as the user running audit.sh. Since set -a is active, all variables — including injected ones — are exported to every child process, including the claude CLI and all git commands. A malicious .env could also redefine REPOS_DIR, LOG_DIR, or FORGEJO_URL to redirect the audit to an attacker-controlled endpoint.

Suggested fix direction

Replace source with a dedicated key=value parser that only reads lines matching ^[A-Z_]+= and rejects everything else. Example: while IFS='=' read -r key val; do export "$key=$val"; done < <(grep -E '^[A-Z_]+=' .env). This prevents shell metacharacters in the file from being interpreted.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem `audit.sh` sources the `.env` file with `source "$SCRIPT_DIR/.env"` inside a `set -a` block without any validation of the file's contents. `source` executes the file as shell code, not as a simple key=value parser. ## Location `audit.sh`, lines 54–57: ```bash if [[ -f "$SCRIPT_DIR/.env" ]]; then set -a source "$SCRIPT_DIR/.env" set +a fi ``` ## Risk If an attacker gains write access to the `.env` file (e.g., via misconfigured filesystem permissions, a compromised CI/CD pipeline writing to the workspace, or a path traversal in another part of the system), they can execute arbitrary shell commands as the user running `audit.sh`. Since `set -a` is active, all variables — including injected ones — are exported to every child process, including the `claude` CLI and all git commands. A malicious `.env` could also redefine `REPOS_DIR`, `LOG_DIR`, or `FORGEJO_URL` to redirect the audit to an attacker-controlled endpoint. ## Suggested fix direction Replace `source` with a dedicated key=value parser that only reads lines matching `^[A-Z_]+=` and rejects everything else. Example: `while IFS='=' read -r key val; do export "$key=$val"; done < <(grep -E '^[A-Z_]+=' .env)`. This prevents shell metacharacters in the file from being interpreted. ## Severity moderate ## Found by Automated audit by Claude Code

Claude referenced this issue

2026-05-15 00:45:29 +02:00

FORGEJO_OWNER and FORGEJO_URL not validated before inclusion in Claude prompt #8