improvement(gateway): introduce safeJWTSchema for identity token validation in gateway cmd deployment

[victorvhs017]

Context

We build the gateway deploy command using the provided machine identity token. But we don't validate the token value, allowing shell command injection like:

To prevent this, we added a regex validation on the token value to allow only characters that could be present in a JWT.

Steps to verify the change

Try adding cmd commands in the Deploy Gateway form and check if the validation is working.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

Added JWT token validation to prevent command injection in gateway deployment commands. The PR introduces safeJWTSchema that validates machine identity tokens using a regex pattern allowing only JWT-compatible characters (a-zA-Z0-9._-), effectively blocking shell metacharacters like backticks, semicolons, and pipes that could be used for command injection.

Key changes:

• Created safeJWTSchema in frontend/src/lib/schemas/index.ts with regex validation
• Applied schema to both CLI and systemd gateway deployment methods
• Token validation now occurs before generating shell commands containing the token value

Security impact:
This fix closes a command injection vulnerability where attackers could inject shell commands through the identity token field. The validation is applied client-side before the token is interpolated into CLI commands.

Note: Verify the regex pattern at the ReDoS checker per repository security guidelines (pattern appears safe with no nested quantifiers).

Confidence Score: 4/5

• This PR is safe to merge with minimal risk - it addresses a command injection vulnerability with appropriate input validation
• Score reflects a solid security fix with straightforward implementation. The regex pattern effectively blocks shell metacharacters while allowing valid JWT characters. Minor deduction for needing verification against ReDoS patterns per repository guidelines, though the pattern appears safe
• Verify frontend/src/lib/schemas/index.ts regex pattern with ReDoS checker as required by repository security guidelines

Important Files Changed

Filename	Overview
frontend/src/lib/schemas/index.ts	added safeJWTSchema with regex validation to prevent command injection in JWT tokens
frontend/src/pages/organization/NetworkingPage/components/GatewayTab/components/GatewayCliDeploymentMethod.tsx	replaced basic string validation with safeJWTSchema for identity token in CLI deployment
frontend/src/pages/organization/NetworkingPage/components/GatewayTab/components/GatewayCliSystemdDeploymentMethod.tsx	replaced basic string validation with safeJWTSchema for identity token in systemd deployment

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[scott-ray-wilson]

LGTM, verified jwt regex in form

[scott-ray-wilson]

LGTM, verified relay as well