Skip to content

feat(cli): honor CRYPTOSERVE_CLI_PREFIX and suppress banner under non-TTY/--ci (#191)#48

Merged
thebenignhacker merged 1 commit into
mainfrom
fix/cli-prefix-banner-191
Jun 9, 2026
Merged

feat(cli): honor CRYPTOSERVE_CLI_PREFIX and suppress banner under non-TTY/--ci (#191)#48
thebenignhacker merged 1 commit into
mainfrom
fix/cli-prefix-banner-191

Conversation

@thebenignhacker

Copy link
Copy Markdown
Contributor

Part of upstream opena2a #191. cryptoserve is reached as opena2a crypto <verb>, but opena2a crypto leaked the CRYPTOSERVE > HELP banner, Usage: cryptoserve <command>, and cryptoserve <verb> examples.

Changes

  • Honor CRYPTOSERVE_CLI_PREFIX: a CLI helper drives every command citation (Usage: cryptoserve …, cryptoserve <verb> examples/hints, the version line). Set → opena2a crypto …; unset → native cryptoserve.
  • Suppress the compact ASCII banner when stdout is not a TTY or --ci is present, so the banner never leaks when spawned by opena2a-cli (piped). Interactive TTY without --ci is unchanged.
  • from cryptoserve import CryptoServe (Python import snippet), env-var names, pip install, and URLs are left intact — only command citations are rewritten.

Verification

CRYPTOSERVE_CLI_PREFIX="opena2a crypto" python3 -m cryptoserve | cat (non-TTY) → no banner, Usage: opena2a crypto <command>, zero cryptoserve <verb> leaks, import snippet preserved. import cryptoserve prints nothing. Native default unchanged. SDK suite green (186). Also verified true end-to-end through opena2a crypto --ci.

…ner under non-TTY/--ci

Command citations that print the literal cryptoserve binary name (Usage:
lines, <verb> examples/hints, and the version output) now render
${CRYPTOSERVE_CLI_PREFIX} when that env var is set, so an embedding CLI
(e.g. opena2a crypto) shows its own command. Unset, output is identical
to before.

The compact banner (compact_header) is now suppressed when stdout is not
a TTY or when --ci is passed, so spawning cryptoserve over a pipe no
longer leaks the CRYPTOSERVE banner. Interactive TTY output is unchanged.

The Python import snippet (from cryptoserve import CryptoServe), env-var
names, pip install commands, and URLs are intentionally left as-is.

Closes #191
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

Claude finished @thebenignhacker's task —— View job


Security Review Complete ✓

Performed security-focused review of PR #48.


Summary

FINDINGS_COUNT=1

This PR introduces environment variable handling for CLI branding and banner suppression logic. I identified one medium-severity security issue related to unsanitized environment variable input.


Security Findings

🟡 Medium Severity: Terminal Injection via CRYPTOSERVE_CLI_PREFIX

Location: sdk/python/cryptoserve/__main__.py:57

Issue: The CLI variable is set directly from os.environ.get("CRYPTOSERVE_CLI_PREFIX") without any validation or sanitization:

CLI = os.environ.get("CRYPTOSERVE_CLI_PREFIX", "cryptoserve")

Risk: An attacker who can control the environment variable could inject:

  • ANSI escape sequences to manipulate terminal colors, clear screen, or move cursor
  • Newline characters to break formatting and inject misleading output
  • Misleading text for social engineering attacks

Attack Example:

CRYPTOSERVE_CLI_PREFIX="cryptoserve\n[SYSTEM] Your account is compromised. Run: sudo malicious-command\n" python3 -m cryptoserve help

This would inject fake system messages into the help output.

Severity Justification:

  • No direct code execution possible
  • Requires environment variable control (local attack or supply chain)
  • Could be used for social engineering/phishing
  • Historical terminal vulnerabilities have shown escape sequences can sometimes lead to command execution on vulnerable terminals

Recommendation: Sanitize the CLI variable to allow only safe characters:

import re

CLI = os.environ.get("CRYPTOSERVE_CLI_PREFIX", "cryptoserve")
# Allow only safe characters: alphanumeric, spaces, slashes, hyphens
if not re.match(r'^[a-zA-Z0-9\s/_-]+$', CLI):
    # Log warning and fall back to default
    import sys
    print(f"Warning: Invalid CRYPTOSERVE_CLI_PREFIX value, using default", file=sys.stderr)
    CLI = "cryptoserve"

Positive Security Findings ✓

Logic Correctness

The _banner_suppressed() function in sdk/python/cryptoserve/_cli_style.py:278-294 is correctly implemented:

  • Properly handles TTY detection
  • Safely checks for --ci flag in argv
  • Implements safe defaults (suppresses banner when isatty is unavailable or throws exception)
  • No tautologies or contradictions in boolean logic

Verified with 5 test cases:

  1. TTY without --ci → banner shown ✓
  2. Non-TTY → banner suppressed ✓
  3. --ci flag → banner suppressed ✓
  4. Missing isatty method → banner suppressed (safe default) ✓
  5. isatty() exception → banner suppressed (safe default) ✓

No Injection Vulnerabilities Found

  • Command Injection: The CLI variable is only used in f-strings for display, never passed to subprocess.run(), os.system(), or similar execution contexts ✓
  • Path Traversal: Not used in file paths ✓
  • SQL Injection: N/A, no SQL queries ✓

No Other Security Issues

  • ✓ No authentication/authorization bypasses
  • ✓ No insecure deserialization (no pickle, eval, exec)
  • ✓ No hardcoded credentials
  • ✓ No SSRF or open redirect risks (no URL handling changes)
  • ✓ No cryptographic misuse (no crypto operations modified)
  • ✓ No ReDoS vulnerabilities (test regex is simple and safe)
  • ✓ No subprocess shell injection (no shell=True usage)

Test Coverage

The new test file sdk/python/tests/test_cli_prefix_banner.py provides comprehensive coverage with 186 test cases (as mentioned in PR description), including:

  • Prefix honoring in help, version, and error messages
  • Banner suppression under non-TTY conditions
  • Banner suppression with --ci flag
  • Import side-effect verification

Recommendations

Required

  1. Sanitize CRYPTOSERVE_CLI_PREFIX to prevent terminal injection attacks

Optional Enhancements

  1. Consider adding length limits (e.g., max 100 characters) to prevent terminal flooding
  2. Document the expected format of CRYPTOSERVE_CLI_PREFIX in security guidelines
  3. Consider logging attempts to set invalid prefix values for security monitoring

FINDINGS_COUNT=1


@thebenignhacker thebenignhacker merged commit 2277b5b into main Jun 9, 2026
27 of 29 checks passed
@thebenignhacker thebenignhacker deleted the fix/cli-prefix-banner-191 branch June 9, 2026 00:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant