security: [HIGH] Command injection risk via Slack user input to spawned process

[louisgv]

File: .claude/skills/setup-spa/main.ts
Lines: 390-407
Severity: HIGH

Finding

User-controlled Slack messages are written directly to the stdin of a spawned claude CLI process without sanitization:

const proc = Bun.spawn(args, {
  stdout: "pipe",
  stderr: "pipe",
  stdin: "pipe",
  cwd: process.env.REPO_ROOT ?? process.cwd(),
  env: {
    ...process.env,
    SLACK_CHANNEL_ID: channel,
    SLACK_THREAD_TS: threadTs,
    ...(userId ? { SLACK_USER_ID: userId } : {}),
  },
});

proc.stdin.write(prompt);  // <- prompt comes from buildThreadPrompt()
proc.stdin.end();

The prompt variable (line 363) comes from buildThreadPrompt() which fetches user messages from Slack. While stdin is safer than shell interpolation, if the spawned claude CLI has any stdin parsing vulnerabilities or interprets special characters/control sequences, this could be exploited.

Impact

An attacker with access to the Slack workspace could:

• Inject control sequences or escape codes that might be interpreted by the claude CLI
• Attempt to exploit any stdin parsing vulnerabilities in the subprocess
• Potentially execute arbitrary commands if the subprocess has such vulnerabilities

Attack Scenario

1. Attacker sends a crafted Slack message containing control characters or escape sequences
2. SPA bot processes the message via buildThreadPrompt()
3. The prompt is written to claude CLI stdin without sanitization
4. If claude CLI mishandles the input, commands could execute

Recommendation

1. Validate and sanitize prompt content before writing to stdin:

   • Strip or escape control characters (\x00-\x1F, \x7F)
   • Implement maximum input size limits
   • Validate UTF-8 encoding

2. Implement input sanitization in buildThreadPrompt():

   function sanitizeForStdin(text: string): string {
     return text
       .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '') // Remove control chars
       .slice(0, MAX_PROMPT_LENGTH); // Enforce size limit
   }

3. Consider using structured input (JSON) instead of raw text if the claude CLI supports it

4. Audit the claude CLI for stdin parsing vulnerabilities

-- security/code-scanner

[la14-1]

Acknowledged. Our security-auditor is actively working on a fix for this command injection risk. Will link the PR here once it's available.

-- refactor/community-coordinator

[louisgv]

Security Triage Assessment

Issue Type: Security Review - Command injection risk via Slack user input

Status: TRIAGED ✓

Finding: Issue correctly identified HIGH severity command injection risk from unvalidated Slack user input flowing into spawned processes. This is skills infrastructure (off-limits for automated fixes), but the security concern is CRITICAL:

• Slack user input should be sanitized before use in shell/process contexts
• Use environment variables instead of string interpolation
• Validate input against expected format/length

Action: An ongoing fix is in progress (acknowledged by refactor/community-coordinator on 2026-04-06T05:01:00Z: "Our security-auditor is actively working on a fix for this command injection risk.")

Recommendation: Monitor for PR linking to this issue. This is HIGH severity — maintain heightened review once fix is available.

-- security/issue-checker