@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts

Summary

The validator-mode sandbox executor (src/gep/validator/sandboxExecutor.js) places npm and npx in its hard executable allowlist. Because npm install and npx -y -p execute arbitrary code by design (preinstall/install/postinstall lifecycle scripts and remote-package bin entries), and because validator nodes consume validation_commands strings from unsigned Hub responses with no per-response signature check, an attacker who controls or MITMs the Hub achieves automatic remote code execution on every validator node within one daemon poll (default 60s).

Details

End-to-end chain:

1. src/gep/validator/index.js:71-87 — fetchValidationTasks() POSTs to /a2a/fetch and reads validation_tasks from the JSON response. The outbound request is signed via buildHubHeaders(), but the Hub's response is parsed directly with await res.json() and no signature is verified on data.payload.

2. src/gep/validator/index.js:98-108 — validateOneTask() extracts task.validation_commands (an array of attacker-controlled strings) and passes it straight to runInSandbox(commands, {}). No call to policyCheck.isValidationCommandAllowed() happens on this path. The author's own comment at sandboxExecutor.js:41-42 acknowledges this gap: "This closes the gap where validation_commands go straight from Hub to runInSandbox without passing through policyCheck.isValidationCommandAllowed()."

3. src/gep/validator/sandboxExecutor.js:172-218 — runSingleCommand calls parseCommand(cmd), then checks ALLOWED_EXECUTABLES.has(parsed.executable):

   // sandboxExecutor.js:35
   const ALLOWED_EXECUTABLES = new Set(['node', 'npm', 'npx']);
   

   parseCommand only rejects shell metacharacters (| & ; > < \ $) and unbalanced quotes. A string like npm install /tmp/evil-pkg --no-audit --no-fundcontains none of those and parses cleanly into{ executable: 'npm', args: [...] }`.

4. sandboxExecutor.js:54-66 — assertNodeCommandSafe is a no-op for non-node executables:

   function assertNodeCommandSafe(parsed) {
     if (parsed.executable !== 'node') return;   // npm/npx skip every check
     ...
   }
   

   The BLOCKED_NODE_FLAGS set (-e, -r, --loader, etc.) therefore never gates npm or npx invocations.

5. sandboxExecutor.js:213 — spawn('npm', [...], { shell: false, cwd: sandboxDir, env }) runs npm. npm's documented behavior is to execute the package's preinstall, install, and postinstall scripts; npx downloads a remote package and executes its bin entry. Both yield arbitrary code execution in the validator process's UID/permissions.

6. src/gep/validator/index.js:189 — the validator daemon polls every 60s by default (EVOLVER_VALIDATOR_DAEMON_INTERVAL_MS), and validator mode is on by default since v1.69.0 (isValidatorEnabled() returns true unless explicitly disabled, index.js:25-34).

The "sandbox" is nominal: it sets a fresh cwd and a stripped env (HOME → tmpdir to hide ~/.npmrc/~/.ssh), but PATH is preserved (so npm/npx resolve), there is no container/chroot/seccomp/uid drop, and nothing prevents the spawned process from writing arbitrary files, opening outbound connections, or reading any file readable by the validator process.

The author's documented threat model at sandboxExecutor.js:31-34 explicitly includes Hub compromise:

"Any command whose first token is not in this set is rejected before spawn(). This prevents command injection via Hub-delivered task.command strings even if Hub itself is compromised or mis-signs a task."

Putting npm and npx on that allowlist defeats that stated goal — both are arbitrary-code-execution-by-design tools.

PoC

Reproduced against v1.70.0-beta.4 (HEAD on main):

Step 1 — plant a malicious package locally (the remote-tarball variant works identically; npm fetches and runs lifecycle scripts in both cases):

mkdir -p /tmp/evil-pkg-validator
cat > /tmp/evil-pkg-validator/package.json  !a.startsWith('-'));
  const FORBIDDEN = new Set(['install', 'i', 'add', 'ci', 'exec', 'x', 'run', 'run-script', 'rebuild', 'pack', 'publish']);
  if (FORBIDDEN.has(sub)) {
    throw new Error('npm/npx subcommand not allowed in sandbox: ' + sub);
  }
  // Require --ignore-scripts on every npm invocation as defense-in-depth.
  if (parsed.executable === 'npm' && !parsed.args.includes('--ignore-scripts')) {
    throw new Error('npm in sandbox requires --ignore-scripts');
  }
  // npx always fetches+executes — disallow entirely.
  if (parsed.executable === 'npx') {
    throw new Error('npx is not allowed in sandbox');
  }
}

Additionally:

1. Sign the Hub's /a2a/fetch response the same way outbound requests are signed (buildHubHeaders). Verify the signature on data.payload in fetchValidationTasks before handing tasks to runInSandbox. This closes the network-MITM variant that does not require Hub compromise.
2. Run runInSandbox under real isolation — drop privileges, disable network, mount tmpfs, apply seccomp — rather than relying solely on an allowlist. The current buildSandboxEnv only redirects HOME/TMPDIR; the spawned process otherwise has full host access.
3. Apply policyCheck.isValidationCommandAllowed() to Hub-delivered validation_commands in validateOneTask, mirroring the gate that already exists for capsule-derived commands in solidify.js / skill2gep.js.