security: harden run-install-step.sh against directory traversal and missing sudo

Copilot · PDowney · web-flow · commit fd744e09dde3 · 2026-04-10T20:03:41.000Z
Agent-Logs-Url: https://github.com/EngineScript/EngineScript/sessions/b7a76c75-34d2-4d2c-b506-bda5f1f115b4 Co-authored-by: PDowney <11467177+PDowney@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,14 @@ Changes are organized by date, with the most recent changes listed first.
 
 ## 2026-04-10
 
+### 🔒 CI SECURITY HARDENING: run-install-step.sh
+
+- Added install script path validation using `realpath` to prevent directory traversal attacks; the resolved canonical path must be within `scripts/ci/` and is used in place of the raw input when invoking `bash`.
+- Added log path validation to restrict log files to the current working directory, block symlinks, and reject non-regular-file targets before `touch` is called.
+- Added a pre-flight check for `sudo` availability and non-interactive sudo privileges before attempting any privileged commands, producing a clear error message if either requirement is not met.
+
+## 2026-04-10
+
 ### 🐛 VHOST IMPORT LOGGING / EXTRACTION FLOW FIXES
 
 - Removed a duplicate WordPress extraction block in `scripts/functions/vhost/vhost-import.sh` that re-ran archive extraction and wp-config path detection after those steps had already completed.
diff --git a/scripts/ci/run-install-step.sh b/scripts/ci/run-install-step.sh
@@ -12,6 +12,8 @@ TIMEOUT_SECONDS="$2"
 INSTALL_SCRIPT_PATH="$3"
 LOG_PATH="$4"
 INTEGER_REGEX='^[0-9]+$'
+ALLOWED_INSTALL_DIR="$(realpath "$(pwd)/scripts/ci")"
+CANONICAL_INSTALL_SCRIPT_PATH=""
 # `timeout` returns 124 when the wrapped command times out.
 TIMEOUT_EXIT_CODE=124
 
@@ -25,18 +27,71 @@ if [ ! -f "$INSTALL_SCRIPT_PATH" ]; then
   exit 1
 fi
 
+if ! CANONICAL_INSTALL_SCRIPT_PATH="$(realpath "$INSTALL_SCRIPT_PATH" 2>/dev/null)"; then
+  echo "Error: unable to resolve install script path: $INSTALL_SCRIPT_PATH" >&2
+  exit 1
+fi
+
+case "$CANONICAL_INSTALL_SCRIPT_PATH" in
+  "$ALLOWED_INSTALL_DIR"/*) ;;
+  *)
+    echo "Error: install script path must be within $ALLOWED_INSTALL_DIR" >&2
+    exit 1
+    ;;
+esac
+
+ALLOWED_LOG_BASE_DIR="$(pwd -P)"
+LOG_PARENT_DIR="$(dirname -- "$LOG_PATH")"
+LOG_FILENAME="$(basename -- "$LOG_PATH")"
+RESOLVED_LOG_PARENT="$(cd "$LOG_PARENT_DIR" 2>/dev/null && pwd -P)"
+
+if [ -z "${RESOLVED_LOG_PARENT:-}" ]; then
+  echo "Error: log directory does not exist or is not accessible: $LOG_PARENT_DIR" >&2
+  exit 1
+fi
+
+if [ "$RESOLVED_LOG_PARENT" != "$ALLOWED_LOG_BASE_DIR" ] && [[ "$RESOLVED_LOG_PARENT"/ != "$ALLOWED_LOG_BASE_DIR"/* ]]; then
+  echo "Error: log path must be within $ALLOWED_LOG_BASE_DIR: $LOG_PATH" >&2
+  exit 1
+fi
+
+if [ "$LOG_FILENAME" = "." ] || [ "$LOG_FILENAME" = ".." ]; then
+  echo "Error: invalid log file name: $LOG_PATH" >&2
+  exit 1
+fi
+
+if [ -L "$LOG_PATH" ]; then
+  echo "Error: log path must not be a symlink: $LOG_PATH" >&2
+  exit 1
+fi
+
+if [ -e "$LOG_PATH" ] && [ ! -f "$LOG_PATH" ]; then
+  echo "Error: log path must be a regular file: $LOG_PATH" >&2
+  exit 1
+fi
+
 if ! touch "$LOG_PATH" 2>/dev/null; then
   echo "Error: log file is not writable: $LOG_PATH" >&2
   exit 1
 fi
 
+if ! command -v sudo >/dev/null 2>&1; then
+  echo "Error: sudo is required but not available in PATH" >&2
+  exit 1
+fi
+
+if ! sudo -n true >/dev/null 2>&1; then
+  echo "Error: sudo privileges are required to run installation steps non-interactively" >&2
+  exit 1
+fi
+
 echo "Installing ${COMPONENT_NAME}..."
 echo "Script start time: $(date)" > "$LOG_PATH"
 
 set +e
 timeout "$TIMEOUT_SECONDS" \
   sudo env CI_ENVIRONMENT=true DEBIAN_FRONTEND=noninteractive NEEDRESTART_MODE=a NEEDRESTART_SUSPEND=1 \
-  bash "$INSTALL_SCRIPT_PATH" 2>&1 | tee -a "$LOG_PATH"
+  bash "$CANONICAL_INSTALL_SCRIPT_PATH" 2>&1 | tee -a "$LOG_PATH"
 PIPE_EXIT_CODES=("${PIPESTATUS[@]}")
 SCRIPT_EXIT_CODE="${PIPE_EXIT_CODES[0]}"
 TEE_EXIT_CODE="${PIPE_EXIT_CODES[1]}"
