keystone-cli 1.1.2 → 1.2.0

package/src/runner/executors/security.test.ts

@@ -0,0 +1,69 @@
+import { afterAll, beforeAll, describe, expect, test } from 'bun:test';
+import { AUTO_LOAD_SECRET_PREFIXES } from '../../utils/env-constants';
+import { SecretManager } from '../services/secret-manager';
+import { detectShellInjectionRisk } from './shell-executor';
+
+describe('Security Fixes', () => {
+  describe('ShellExecutor Command Injection', () => {
+    test('detectShellInjectionRisk should block newlines', () => {
+      // Regular space should be allowed
+      expect(detectShellInjectionRisk('echo hello')).toBe(false);
+
+      // Newline characters should be detected as risk
+      expect(detectShellInjectionRisk('echo hello\n')).toBe(true);
+      expect(detectShellInjectionRisk('echo hello\r')).toBe(true);
+      expect(detectShellInjectionRisk('echo hello\nrm -rf /')).toBe(true);
+
+      // Standard allowed characters should still pass
+      expect(detectShellInjectionRisk('curl -X POST https://example.com/api')).toBe(false);
+      expect(detectShellInjectionRisk('file_name-v1.0+beta.txt')).toBe(false);
+    });
+
+    test('detectShellInjectionRisk should correctly handle quotes', () => {
+      // Content inside single quotes is considered safe (literal)
+      expect(detectShellInjectionRisk("echo 'safe string with ; and |'")).toBe(false);
+
+      // But unsafe chars outside quotes must be caught
+      expect(detectShellInjectionRisk("echo 'safe'; rm -rf /")).toBe(true);
+    });
+  });
+
+  describe('SecretManager Auto-loading', () => {
+    // Save original env to restore later
+    const originalEnv = { ...Bun.env };
+
+    afterAll(() => {
+      // Restore env
+      for (const key of Object.keys(Bun.env)) {
+        delete Bun.env[key];
+      }
+      for (const [key, value] of Object.entries(originalEnv)) {
+        if (value) Bun.env[key] = value;
+      }
+    });
+
+    test('should only load secrets with allowed prefixes', () => {
+      // Setup test env vars
+      Bun.env.KEYSTONE_TEST_SECRET = 'secret-value-1';
+      Bun.env.GITHUB_TOKEN = 'gh-token-123';
+      Bun.env.MY_RANDOM_TOKEN = 'unsafe-token-should-not-load';
+      Bun.env.SOME_API_KEY = 'unsafe-api-key';
+
+      const secretManager = new SecretManager();
+      const secrets = secretManager.loadSecrets();
+
+      expect(secrets.KEYSTONE_TEST_SECRET).toBe('secret-value-1');
+      expect(secrets.GITHUB_TOKEN).toBe('gh-token-123');
+
+      // Should NOT load these even though they contain "TOKEN" or "KEY"
+      expect(secrets.MY_RANDOM_TOKEN).toBeUndefined();
+      expect(secrets.SOME_API_KEY).toBeUndefined();
+    });
+
+    test('env constants should match implementation', () => {
+      // Quick sanity check that our test logic matches the constants
+      expect(AUTO_LOAD_SECRET_PREFIXES).toContain('KEYSTONE_');
+      expect(AUTO_LOAD_SECRET_PREFIXES).toContain('GITHUB_');
+    });
+  });
+});

package/src/runner/executors/shell-executor.ts

@@ -43,6 +43,9 @@ export async function executeShellStep(
   abortSignal?: AbortSignal
 ): Promise<StepResult> {
   if (step.args) {
+    // args are inherently safe from shell injection as they skip the shell
+    // and pass the array directly to the OS via Bun.spawn.
+
     const command = step.args.map((a) => ExpressionEvaluator.evaluateString(a, context)).join(' ');
     if (dryRun) {
       logger.log(`[DRY RUN] Would execute: ${command}`);
@@ -200,13 +203,35 @@ async function readStreamWithLimit(
 }
 
 // Whitelist of allowed characters for secure shell command execution
-// Allows: Alphanumeric, whitespace, and common safe punctuation (_ . / : @ , + - = ' " !)
-// Blocks: Backslashes, pipes, redirects, subshells, variables ($), etc.
-const SAFE_SHELL_CHARS = /^[a-zA-Z0-9\s_./:@,+=~'"!-]+$/;
+// Allows: Alphanumeric, space, and common safe punctuation (_ . / : @ , + - = ' " ! ~)
+// Blocks: Newlines (\n, \r), Pipes, redirects, subshells, variables ($), etc.
+const SAFE_SHELL_CHARS = /^[a-zA-Z0-9 _./:@,+=~'"!-]+$/;
 
 export function detectShellInjectionRisk(rawCommand: string): boolean {
-  // If the command contains any character NOT in the whitelist, it's considered risky
-  return !SAFE_SHELL_CHARS.test(rawCommand);
+  // We scan the command to handle single quotes correctly.
+  // Characters inside single quotes are considered escaped/literal and safe from shell injection.
+  let inSingleQuote = false;
+
+  for (let i = 0; i < rawCommand.length; i++) {
+    const char = rawCommand[i];
+
+    if (char === "'") {
+      inSingleQuote = !inSingleQuote;
+      continue;
+    }
+
+    // Outside single quotes, we enforce the strict whitelist
+    if (!inSingleQuote) {
+      if (!SAFE_SHELL_CHARS.test(char)) {
+        return true;
+      }
+    }
+    // Inside single quotes, everything is treated as a literal string by the shell,
+    // so we don't need to block special characters.
+  }
+
+  // If we ended with an unclosed single quote, it's a syntax risk
+  return inSingleQuote;
 }
 
 /**

package/src/runner/memoization-leak.test.ts

@@ -0,0 +1,83 @@
+import { afterEach, describe, expect, it } from 'bun:test';
+import { existsSync, rmSync } from 'node:fs';
+import { MemoryDb } from '../db/memory-db';
+import { WorkflowDb } from '../db/workflow-db';
+import type { Workflow } from '../parser/schema';
+import { container } from '../utils/container';
+import { ConsoleLogger } from '../utils/logger';
+import { WorkflowRunner } from './workflow-runner';
+
+describe('Workflow Memoization Leak (Args Check)', () => {
+  const dbPath = 'test-memoization-leak.db';
+
+  container.register('logger', new ConsoleLogger());
+  container.register('db', new WorkflowDb(dbPath));
+  container.register('memoryDb', new MemoryDb());
+
+  afterEach(() => {
+    if (existsSync(dbPath)) {
+      rmSync(dbPath);
+    }
+  });
+
+  it('should NOT collide for shell steps with same command but different args', async () => {
+    const workflow: Workflow = {
+      name: 'memoize-args-wf',
+      inputs: {
+        arg: { type: 'string' },
+      },
+      steps: [
+        {
+          id: 's1',
+          type: 'shell',
+          args: ['echo', '${{ inputs.arg }}'],
+          allowInsecure: true,
+          memoize: true,
+          needs: [],
+        },
+      ],
+      outputs: {
+        out: '${{ steps.s1.output.stdout.trim() }}',
+      },
+    } as unknown as Workflow;
+
+    let executeCount = 0;
+    const trackedExecuteStep = async (step: any, context: any, logger: any, options: any) => {
+      if (step.id === 's1') executeCount++;
+      const { executeStep } = await import('./step-executor');
+      return executeStep(step, context, logger, options);
+    };
+
+    // Run 1: arg=A
+    const runner1 = new WorkflowRunner(workflow, {
+      dbPath,
+      inputs: { arg: 'A' },
+      executeStep: trackedExecuteStep,
+    });
+    const out1 = await runner1.run();
+    expect(out1.out).toBe('A');
+    expect(executeCount).toBe(1);
+
+    // Run 2: arg=A -> Cache Hit
+    const runner2 = new WorkflowRunner(workflow, {
+      dbPath,
+      inputs: { arg: 'A' },
+      executeStep: trackedExecuteStep,
+    });
+    executeCount = 0;
+    const out2 = await runner2.run();
+    expect(out2.out).toBe('A');
+    expect(executeCount).toBe(0); // Memoized
+
+    // Run 3: arg=B -> Execute (Must not collide with A)
+    const runner3 = new WorkflowRunner(workflow, {
+      dbPath,
+      inputs: { arg: 'B' },
+      executeStep: trackedExecuteStep,
+    });
+    executeCount = 0;
+    const out3 = await runner3.run();
+    expect(out3.out).toBe('B');
+    expect(executeCount).toBe(1); // Should execute because args are different!
+  });
+});

package/src/runner/recovery-security.test.ts

@@ -0,0 +1,132 @@
+import { beforeEach, describe, expect, jest, test } from 'bun:test';
+import type { Step, Workflow } from '../parser/schema';
+import { WorkflowRunner } from './workflow-runner';
+
+describe('WorkflowRunner Recovery Security', () => {
+  beforeEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  test('should NOT allow reflexion to overwrite critical step properties', async () => {
+    const workflow: Workflow = {
+      name: 'reflexion-security-test',
+      steps: [
+        {
+          id: 'fail-step',
+          type: 'shell',
+          run: 'exit 1',
+          reflexion: {
+            limit: 2,
+          },
+        } as Step,
+      ],
+    };
+
+    const mockGetAdapter = () => ({
+      adapter: {
+        chat: async () => ({
+          message: {
+            content: JSON.stringify({
+              run: 'echo "fixed"',
+              type: 'script', // ATTEMPT TO CHANGE TYPE
+              id: 'malicious-id', // ATTEMPT TO CHANGE ID
+            }),
+          },
+        }),
+      } as any,
+      resolvedModel: 'mock-model',
+    });
+
+    const spy = jest.fn();
+
+    const runner = new WorkflowRunner(workflow, {
+      logger: { log: () => {}, error: () => {}, warn: () => {}, debug: () => {} },
+      dbPath: ':memory:',
+      getAdapter: mockGetAdapter,
+      executeStep: spy as any,
+    });
+
+    const db = (runner as any).db;
+    await db.createRun(runner.runId, workflow.name, {});
+
+    spy.mockImplementation(async (step: any) => {
+      if (step.run === 'exit 1') {
+        return { status: 'failed', output: null, error: 'Command failed' };
+      }
+      return { status: 'success', output: 'fixed' };
+    });
+
+    await (runner as any).executeStepWithForeach(workflow.steps[0]);
+
+    // Expectations:
+    // 1. First execution (fails)
+    // 2. Reflexion happens
+    // 3. Second execution (retry)
+    expect(spy).toHaveBeenCalledTimes(2);
+
+    const secondCallArg = spy.mock.calls[1][0] as any;
+    expect(secondCallArg.run).toBe('echo "fixed"');
+    expect(secondCallArg.type).toBe('shell'); // Should still be shell
+    expect(secondCallArg.id).toBe('fail-step'); // Should still be fail-step
+  });
+
+  test('should NOT allow auto_heal to overwrite critical step properties', async () => {
+    const workflow: Workflow = {
+      name: 'autoheal-security-test',
+      steps: [
+        {
+          id: 'fail-step',
+          type: 'shell',
+          run: 'exit 1',
+          auto_heal: {
+            maxAttempts: 1,
+            agent: 'healer',
+          },
+        } as Step,
+      ],
+    };
+
+    const spy = jest.fn();
+    const runner = new WorkflowRunner(workflow, {
+      logger: { log: () => {}, error: () => {}, warn: () => {}, debug: () => {} },
+      dbPath: ':memory:',
+      executeStep: spy as any,
+    });
+
+    const db = (runner as any).db;
+    await db.createRun(runner.runId, workflow.name, {});
+
+    spy.mockImplementation(async (step: any) => {
+      if (step.run === 'exit 1') {
+        return { status: 'failed', output: null, error: 'Command failed' };
+      }
+      if (step.id === 'fail-step' && step.run === 'echo "fixed"') {
+        return { status: 'success', output: 'fixed' };
+      }
+      // This is the healer agent call itself
+      if (step.id === 'fail-step-healer') {
+        return {
+          status: 'success',
+          output: {
+            run: 'echo "fixed"',
+            type: 'script', // ATTEMPT TO CHANGE TYPE
+            id: 'malicious-id', // ATTEMPT TO CHANGE ID
+          },
+        };
+      }
+      return { status: 'failed', error: 'Unexpected step' };
+    });
+
+    await (runner as any).executeStepWithForeach(workflow.steps[0]);
+
+    // 1. Initial fail
+    // 2. Healer call
+    // 3. Retry
+    expect(spy).toHaveBeenCalledTimes(3);
+
+    const retryCallArg = spy.mock.calls[2][0] as any;
+    expect(retryCallArg.run).toBe('echo "fixed"');
+    expect(retryCallArg.type).toBe('shell');
+    expect(retryCallArg.id).toBe('fail-step');
+  });
+});

package/src/runner/services/context-builder.ts

@@ -113,21 +113,124 @@ export class ContextBuilder {
           }
         }
         return stripUndefined({
-          run: ExpressionEvaluator.evaluateString((step as any).run, context),
+          run: ExpressionEvaluator.evaluateString(step.run, context),
+          args: step.args?.map((arg: string) => ExpressionEvaluator.evaluateString(arg, context)),
+          dir: step.dir ? ExpressionEvaluator.evaluateString(step.dir, context) : undefined,
           env,
+          allowInsecure: step.allowInsecure,
         });
       }
-      case 'file': {
+      case 'file':
         return stripUndefined({
-          path: ExpressionEvaluator.evaluateString((step as any).path, context),
-          content: (step as any).content
-            ? ExpressionEvaluator.evaluateString((step as any).content, context)
+          path: ExpressionEvaluator.evaluateString(step.path, context),
+          content:
+            step.content !== undefined
+              ? ExpressionEvaluator.evaluateString(step.content as string, context)
+              : undefined,
+          op: step.op,
+          allowOutsideCwd: step.allowOutsideCwd,
+        });
+      case 'artifact':
+        return stripUndefined({
+          op: step.op,
+          name: ExpressionEvaluator.evaluateString(step.name, context),
+          paths: step.paths?.map((p: string) => ExpressionEvaluator.evaluateString(p, context)),
+          path: step.path
+            ? ExpressionEvaluator.evaluateString(step.path as string, context)
             : undefined,
-          op: (step as any).op,
+          allowOutsideCwd: step.allowOutsideCwd,
+        });
+      case 'request': {
+        let headers: Record<string, string> | undefined;
+        if (step.headers) {
+          headers = {};
+          for (const [key, value] of Object.entries(step.headers)) {
+            headers[key] = ExpressionEvaluator.evaluateString(value as string, context);
+          }
+        }
+        return stripUndefined({
+          url: ExpressionEvaluator.evaluateString(step.url, context),
+          method: step.method,
+          headers,
+          body:
+            step.body !== undefined
+              ? ExpressionEvaluator.evaluateObject(step.body, context)
+              : undefined,
+          allowInsecure: step.allowInsecure,
+        });
+      }
+      case 'human':
+        return stripUndefined({
+          message: ExpressionEvaluator.evaluateString(step.message, context),
+          inputType: step.inputType,
         });
+      case 'sleep': {
+        const evaluated = ExpressionEvaluator.evaluate(step.duration.toString(), context);
+        return { duration: Number(evaluated) };
       }
+      case 'llm':
+        return stripUndefined({
+          agent: ExpressionEvaluator.evaluateString(step.agent, context),
+          provider: step.provider
+            ? ExpressionEvaluator.evaluateString(step.provider, context)
+            : undefined,
+          model: step.model ? ExpressionEvaluator.evaluateString(step.model, context) : undefined,
+          prompt: ExpressionEvaluator.evaluateString(step.prompt, context),
+          tools: step.tools,
+          maxIterations: step.maxIterations,
+          useGlobalMcp: step.useGlobalMcp,
+          allowClarification: step.allowClarification,
+          mcpServers: step.mcpServers,
+          useStandardTools: step.useStandardTools,
+          allowOutsideCwd: step.allowOutsideCwd,
+          allowInsecure: step.allowInsecure,
+        });
+      case 'workflow':
+        return stripUndefined({
+          path: step.path,
+          inputs: step.inputs
+            ? ExpressionEvaluator.evaluateObject(step.inputs, context)
+            : undefined,
+        });
+      case 'script':
+        return stripUndefined({
+          run: step.run,
+          allowInsecure: step.allowInsecure,
+        });
+      case 'engine': {
+        const env: Record<string, string> = {};
+        for (const [key, value] of Object.entries(step.env || {})) {
+          env[key] = ExpressionEvaluator.evaluateString(value as string, context);
+        }
+        return stripUndefined({
+          command: ExpressionEvaluator.evaluateString(step.command, context),
+          args: step.args?.map((arg: string) => ExpressionEvaluator.evaluateString(arg, context)),
+          input:
+            step.input !== undefined
+              ? ExpressionEvaluator.evaluateObject(step.input, context)
+              : undefined,
+          env,
+          cwd: step.cwd ? ExpressionEvaluator.evaluateString(step.cwd, context) : undefined,
+        });
+      }
+      case 'memory':
+        return stripUndefined({
+          op: step.op,
+          query: step.query ? ExpressionEvaluator.evaluateString(step.query, context) : undefined,
+          text: step.text ? ExpressionEvaluator.evaluateString(step.text, context) : undefined,
+          model: step.model,
+          metadata: step.metadata
+            ? ExpressionEvaluator.evaluateObject(step.metadata, context)
+            : undefined,
+          limit: step.limit,
+        });
+      case 'wait':
+        return stripUndefined({
+          event: ExpressionEvaluator.evaluateString(step.event, context),
+          oneShot: step.oneShot,
+        });
       default: {
-        // For most steps, we just pass through properties which might contain expressions
+        // For fallback, pass through properties which might contain expressions
         const inputs: Record<string, unknown> = {};
         for (const [key, value] of Object.entries(step)) {
           if (key === 'id' || key === 'type' || key === 'if' || key === 'foreach') continue;

package/src/runner/services/secret-manager.ts

@@ -1,4 +1,5 @@
-import { RedactionBuffer, Redactor } from '../../utils/redactor';
+import { AUTO_LOAD_SECRET_PREFIXES } from '../../utils/env-constants.ts';
+import { RedactionBuffer, Redactor } from '../../utils/redactor.ts';
 
 export class SecretManager {
   private secretValues: string[] = [];
@@ -49,12 +50,17 @@ export class SecretManager {
       }
     }
 
-    // Include pattern-matched secrets from Bun.env (safe-ish way to get common secrets)
-    const secretPatterns = [/token/i, /key/i, /secret/i, /password/i, /auth/i, /api/i];
+    // Include pattern-matched secrets from Bun.env (safe way using prefix whitelist)
     for (const [key, value] of Object.entries(Bun.env)) {
-      if (value && secretPatterns.some((p) => p.test(key))) {
-        // Skip common system non-secret variables that might match patterns
-        if (safeSystemVars.includes(key)) continue;
+      if (!value) continue;
+
+      // Skip common system non-secret variables
+      if (safeSystemVars.includes(key)) continue;
+
+      // Check against allowed prefixes
+      const isSecret = AUTO_LOAD_SECRET_PREFIXES.some((prefix) => key.startsWith(prefix));
+
+      if (isSecret) {
         secrets[key] = value;
       }
     }

package/src/runner/step-executor.ts

@@ -8,6 +8,7 @@ import { executeArtifactStep } from './executors/artifact-executor.ts';
 import { executeBlueprintStep } from './executors/blueprint-executor.ts';
 import { executeEngineStepWrapper } from './executors/engine-executor.ts';
 import { executeFileStep } from './executors/file-executor.ts';
+import { executeGitStep } from './executors/git-executor.ts';
 import { executeHumanStep, executeSleepStep } from './executors/human-executor.ts';
 import { executeJoinStep } from './executors/join-executor.ts';
 import { executeLlmStep } from './executors/llm-executor.ts';
@@ -167,6 +168,9 @@ export async function executeStep(
       case 'join':
         result = await executeJoinStep(step, context, logger, abortSignal);
         break;
+      case 'git':
+        result = await executeGitStep(step, context, logger, abortSignal);
+        break;
       default:
         throw new Error(`Unknown step type: ${(step as Step).type}`);
     }