[Security] Critical validator RCE risk, execSync crashes, and storage race conditions

[imxyanua]

Summary

A security and reliability audit identified several high-priority issues across the validator, execution layer, and storage subsystem. These issues may lead to remote code execution (RCE), process crashes, and data corruption.

Shell injection risk in validator (Critical)

File: src/gep/validator/sandboxExecutor.js
Current implementation:

spawn(String(cmd), { shell: true, cwd, env, ... });

Problem:

• Executes command through system shell
• Vulnerable to shell injection
• High-risk attack vector if commands originate from Hub

Recommended fix:

const { executable, args } = parseCommand(cmd);
spawn(executable, args, { shell: false, cwd, env, ... });

Missing maxBuffer in execSync

Files:

• src/gep/gitOps.js
• src/gep/signals.js
• Any usage of execSync

Problem:

• Default buffer (~1MB) can overflow
• Causes process crashes (ENOBUFS) on large outputs (e.g. git diff)

Recommended fix:

execSync(cmd, {
maxBuffer: 10 * 1024 * 1024,
timeout: ...,
cwd: ...
});

Race conditions in JSON storage
File: src/gep/assetStore.js
Problem:

• Concurrent writes (daemon + scripts) without locking
• Risk of file corruption or data loss
  Recommended fix:

function saveGenes(genes) {
return withFileLock(genesLockPath, () =>
writeJsonAtomic(genesPath, genes)
);
}

Validator behavior not clearly documented

Problem:

• Validator executes commands from Hub
• No clear documentation or warning
• May lead to unintended remote command execution

Recommended actions:

• Document default value of EVOLVER_VALIDATOR_ENABLED
• Add startup warning:
  "WARNING: This node will execute commands received from the Hub"
• Require explicit opt-in instead of implicit enablement

Notes

These issues were identified during a focused audit of execution flow, storage layer, and validator behavior. Fixing them would significantly improve system safety and reliability

[autogame-17]

Thank you very much for the thorough audit, @imxyanua. Every item you raised is now fixed in @evomap/evolver@1.69.8 (published to npm earlier today, also tagged v1.69.8).

#	Item	Status in 1.69.8
H1	sandboxExecutor shell injection	Fixed. spawn(..., { shell: true }) is gone. parseCommand() tokenizes the command and rejects shell metacharacters (;, &, `
H2	Missing maxBuffer on execSync	Fixed. Every execSync call across index.js, src/evolve.js, src/gep/{gitOps,idleScheduler,selfPR,explore}.js, src/ops/{lifecycle,self_repair,skills_monitor}.js, and src/adapters/scripts/evolver-session-end.js now sets maxBuffer: 10 * 1024 * 1024.
H3	Race conditions in JSON storage	Fixed. assetStore.js wraps upsertGene / appendCapsule / upsertCapsule / appendFailedCapsule with an O_EXCL file lock + stale-lock detection via process.kill(pid, 0). See new test test/assetStore.filelock.test.js.
Validator opt-in clarity	Documentation + startup notice	The validator daemon now prints an explicit one-line warning at boot when EVOLVER_VALIDATOR_ENABLED=1, stating CPU / network / stake consumption and the opt-out env var. Comments in src/config.js were also corrected.

Three GitHub Security Advisories cover the execution-layer items raised here and in parallel reports (@autogame-17 triage follow-up):

• GHSA-j5w5-568x-rq53 (Critical) -- execSync command injection in _extractLLM()
• GHSA-r466-rxw4-3j9j (High) -- path traversal via --out= in fetch command
• GHSA-2cjr-5v3h-v2w4 (Medium) -- prototype pollution via Object.assign() in mailbox store

All three were first patched in v1.69.1, and v1.69.8 carries the final hardening. Please upgrade:

npm i -g @evomap/evolver@1.69.8

Regarding PR #452: the public repo is a generated distribution mirror (see the Notes section of your own PR body), so we can not merge outside patches against it directly -- but we hand-ported every H1/H2/H3 item you landed there into the internal maintainer branch, with credit to you in the commit message. Closing #452 accordingly; leaving this issue open for a day so you can confirm on your end, then we will close it.

Credit is recorded in the v1.69.8 release notes and commit trailer.