Critical Shell Injection Regression in deleteViaEphemeral Exposes Staging to Path Traversal

A critical security regression has been identified in the staging environment at commit 36240c75, involving the deleteViaEphemeral function. The vulnerability, catalogued as F1502 under CWE-78 (OS Command Injection), stems from shell string concatenation in the deletion logic. The affected code constructs the command as Cmd: []string{"rm", "-rf", "/configs/" + filePath}, directly interpolating user-controlled file paths into shell arguments without proper sanitization.

The regression introduced a flaw in path validation: while validateRelPath is invoked, it can be circumvented through path traversal sequences. For instance, filepath.Clean("../../../") normalizes to "../..", which passes the validation check. When concatenated with the base path, the resulting command becomes rm -rf /configs/../../../ — an exploitable path traversal vector that could allow deletion of arbitrary files outside the intended directory. The correct implementation, already present on the main branch, uses exec-form with separate arguments: Cmd: []string{"rm", "-rf", "/configs", filePath}, treating the path as a distinct argument rather than string concatenation.

The issue was uncovered during Core-OffSec Audit #17, raising concerns about code change management practices and the integrity of staging environment controls. Immediate remediation requires either switching staging to the exec-form implementation or force-pushing the main branch to restore the patched version. Security teams are urged to audit deployment pipelines and verify that fixes are consistently propagated across all environments, as staging vulnerabilities can serve as entry points for further compromise.