fix: pass Supabase session tokens via env to avoid argv disclosure (CWE-200)

[sebastiondev]

User description

Summary

This PR fixes a sensitive information disclosure (CWE-200 / CWE-214) where Supabase session access_token and refresh_token are passed as command-line arguments to a Node.js subprocess during the device-offline shutdown flow. Process arguments are world-readable on Unix systems (via ps aux and /proc/<pid>/cmdline), so any local user on the same host can capture these tokens while the subprocess is alive.

Affected code

• src/remote-device/remote-channel.ts — spawnSync('node', [...args]) call around line 442 placed sessionData.session.access_token and sessionData.session.refresh_token into the argv array.
• src/remote-device/scripts/blocking-offline-update.js — read those tokens back from process.argv.

The subprocess is launched during the device shutdown handler, so the exposure window is short but deterministic (it occurs every shutdown).

Vulnerability details

Data flow

1. RemoteChannel.markDeviceOffline() retrieves a Supabase session containing the user's access_token and refresh_token.
2. These tokens were appended to the args array of spawnSync('node', [scriptPath, deviceId, supabaseUrl, supabaseKey, accessToken, refreshToken], ...).
3. While the child process exists, its full command line (including the tokens) is exposed via:
   • ps aux / ps -ef on any Unix system
   • /proc/<pid>/cmdline, which on default Linux configurations is readable by any local user (mode 0444)
   • Audit / EDR logs that record execve arguments
4. By contrast, /proc/<pid>/environ is restricted to the same UID (mode 0400), so passing the tokens via the env option of spawnSync is not subject to the same disclosure.

Impact — A captured access_token allows an attacker to authenticate to the Supabase backend as the affected user; the refresh_token extends that access window.

Preconditions

• A local unprivileged user on the same host as the running DesktopCommander process (multi-user host, shared CI runner, container with multiple workloads, etc.).
• The subprocess must be alive when the attacker samples /proc or ps. On a busy system a tight polling loop can reliably catch short-lived processes.

The deviceId, supabaseUrl, and supabaseKey (which is the public anon key) remain in argv — these are not session secrets and are safe to expose.

Fix

Move the two tokens out of the argv array and into the env option of spawnSync. The script now reads them from process.env.SUPABASE_ACCESS_TOKEN and process.env.SUPABASE_REFRESH_TOKEN.

 const result = spawnSync('node', [
     scriptPath,
     deviceId,
     supabaseUrl,
-    supabaseKey,
-    sessionData.session.access_token,
-    sessionData.session.refresh_token || ''
+    supabaseKey
 ], {
     timeout: 3000,
     stdio: 'pipe',
-    encoding: 'utf-8'
+    encoding: 'utf-8',
+    env: {
+        ...process.env,
+        SUPABASE_ACCESS_TOKEN: sessionData.session.access_token,
+        SUPABASE_REFRESH_TOKEN: sessionData.session.refresh_token || ''
+    }
 });

This is the canonical remediation for CWE-214 (sensitive information in process arguments) — environment variables are scoped per-process and not visible across UID boundaries on Unix.

Tests

A regression test was added at test/test-cwe200-credential-exposure.js that statically verifies:

1. blocking-offline-update.js does not destructure accessToken/refreshToken from process.argv.
2. The script reads both tokens from process.env.
3. remote-channel.ts's spawnSync argv array contains neither token, and the options object includes them under env.

Result locally:

Testing CWE-200: Credential exposure via process.argv
  ✅ blocking-offline-update.js should not read access_token/refresh_token from process.argv
  ✅ blocking-offline-update.js should read tokens from environment variables
  ✅ remote-channel.ts should pass tokens via env option in spawnSync, not as args
Results: 3 passed, 0 failed

The change is the only call site of this script (verified via grep), so no other invocations needed updating. The script's argument-count validation still rejects missing tokens with a clear usage message.

Adversarial review

Before submitting, we tried to talk ourselves out of this finding. The main counter-arguments we considered: (1) maybe /proc hardening (hidepid=2) blocks the read — but that's not the default on any major distro, and ps from the same user always works regardless; (2) maybe the subprocess is too short-lived to race — but the 3-second timeout and synchronous network call to Supabase keep it alive long enough for trivial polling; (3) maybe the tokens aren't sensitive — they are full Supabase session credentials, not the public anon key. None of those mitigations hold, so the disclosure is real for any multi-tenant host running DesktopCommander.

cc @lewiswigmore

---

CodeAnt-AI Description

Keep sensitive device tokens out of process listings during offline shutdown

What Changed

• Device access and refresh tokens are no longer sent as command-line arguments when marking a device offline.
• The shutdown script now reads those tokens from environment variables instead, so they are not exposed through ps or /proc/<pid>/cmdline.
• Added a test that checks tokens stay out of command-line arguments and are passed through the environment.

Impact

✅ Lower risk of token exposure on shared machines
✅ Safer offline shutdown flow
✅ Clearer credential handling during device updates

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Enhanced validation for session credentials during offline device updates—the offline-update process now explicitly verifies that required authentication is present before initiating, preventing silent failures.
  • Improved error messaging when authentication credentials are unavailable during offline operations.

• Tests

  • Added security verification tests to validate credential handling during offline-update operations.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrates subprocess authentication from positional CLI args to environment variables. remote-channel.ts skips launching the offline-update when no refresh token is present and passes tokens via SUPABASE_ACCESS_TOKEN / SUPABASE_REFRESH_TOKEN env vars. The script reads tokens from env; a new test verifies no token exposure in argv.

Changes

Cohort / File(s)	Summary
Token Injection Migration src/remote-device/remote-channel.ts, src/remote-device/scripts/blocking-offline-update.js	Parent process now refuses to spawn the offline-update when the Supabase refresh_token is missing. When spawned, access/refresh tokens are provided via SUPABASE_ACCESS_TOKEN / SUPABASE_REFRESH_TOKEN environment variables instead of positional command-line arguments; script parsing and usage text updated accordingly.
CWE-200 Prevention Test test/test-cwe200-credential-exposure.js	Adds a static PoC test that inspects blocking-offline-update.js and remote-channel.ts to ensure tokens are not referenced via process.argv and are supplied/read via process.env identifiers. Fails with nonzero exit code on detection.

Sequence Diagram(s)

sequenceDiagram
    participant RemoteChannel as RemoteChannel (parent)
    participant OS as OS / ChildProcess
    participant OfflineScript as blocking-offline-update.js (child)
    participant Supabase as Supabase API

    RemoteChannel->>RemoteChannel: check Supabase session (access/refresh tokens)
    alt refresh_token missing
        RemoteChannel-->>RemoteChannel: log error, skip spawn
    else refresh_token present
        RemoteChannel->>OS: spawn child process with env {SUPABASE_ACCESS_TOKEN, SUPABASE_REFRESH_TOKEN}
        OS->>OfflineScript: start (reads tokens from process.env)
        OfflineScript->>Supabase: perform offline update using env tokens
        Supabase-->>OfflineScript: response
        OfflineScript-->>OS: exit
        OS-->>RemoteChannel: child exit status
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I hopped through code with nimble feet,

Tokens tucked in env — a safer seat.
No more argv trails to chase,
Quiet spawn, a cleaner place.
Hop, secure, and swift we beat. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main security fix: moving Supabase tokens from command-line arguments to environment variables to prevent credential exposure (CWE-200).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

test/test-cwe200-credential-exposure.js (1)

46-54: ⚡ Quick win

Harden the argv regression checks against trivial renames/formatting changes.

These assertions only catch token names on the same line as process.argv, and the args-array check ignores accessToken / refreshToken. A regression that destructures argv across multiple lines or uses camelCase locals could put secrets back into argv without failing this test.

🔍 Tighten the source checks

-    const lines = content.split('\n');
-
-    // Check every line that references process.argv — none should destructure token variables
-    for (const line of lines) {
-        if (line.includes('process.argv')) {
-            assert.ok(
-                !/accessToken|refreshToken|access_token|refresh_token/i.test(line),
-                `Line reads tokens from process.argv: ${line.trim()}`
-            );
-        }
-    }
+    const normalized = content.replace(/\s+/g, ' ');
+    assert.ok(
+        !/process\.argv[\s\S]{0,200}(accessToken|refreshToken|access_token|refresh_token)/i.test(normalized),
+        'Script should not source tokens from process.argv'
+    );
@@
-        !argsContent.includes('access_token') && !argsContent.includes('refresh_token'),
+        !/(accessToken|refreshToken|access_token|refresh_token)/i.test(argsContent),
         `Tokens should not be in command args: ${argsContent.trim()}`
     );

Also applies to: 83-88

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/test-cwe200-credential-exposure.js` around lines 46 - 54, The current
test loop that scans lines for "process.argv" (the for loop using variable lines
and the assert.ok with the regex
/accessToken|refreshToken|access_token|refresh_token/i) is too brittle because
it only looks on the same line and misses multi-line destructuring or renames;
update the test to (1) detect any usage of process.argv by parsing the source
into an AST (or at minimum join a sliding window of adjacent lines) and check
surrounding lines for identifier names that match token variants, (2) broaden
the token-name check to canonicalize and match camelCase/snake_case/kebab
variants (e.g., normalize to lower-case and match access ? token|refres h?
token), and (3) apply the same strengthened checks to the second block
referenced (the args-array/assert block around lines 83-88) so destructuring
like const { accessToken } = process.argv or multi-line destructures are caught;
locate and modify the loop that references process.argv, the regex used in
assert.ok, and the second args-array check to implement these changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/test-cwe200-credential-exposure.js`:
- Around line 46-54: The current test loop that scans lines for "process.argv"
(the for loop using variable lines and the assert.ok with the regex
/accessToken|refreshToken|access_token|refresh_token/i) is too brittle because
it only looks on the same line and misses multi-line destructuring or renames;
update the test to (1) detect any usage of process.argv by parsing the source
into an AST (or at minimum join a sliding window of adjacent lines) and check
surrounding lines for identifier names that match token variants, (2) broaden
the token-name check to canonicalize and match camelCase/snake_case/kebab
variants (e.g., normalize to lower-case and match access ? token|refres h?
token), and (3) apply the same strengthened checks to the second block
referenced (the args-array/assert block around lines 83-88) so destructuring
like const { accessToken } = process.argv or multi-line destructures are caught;
locate and modify the loop that references process.argv, the regex used in
assert.ok, and the second args-array check to implement these changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 112c39cf-286c-4ec6-a199-5ba1bb917d94

📥 Commits

Reviewing files that changed from the base of the PR and between 8c03d33 and bb221fa.

📒 Files selected for processing (3)

• src/remote-device/remote-channel.ts
• src/remote-device/scripts/blocking-offline-update.js
• test/test-cwe200-credential-exposure.js

[codeant-ai]

Suggestion: refresh_token is nullable in this codebase, but this line coerces missing values to an empty string and still spawns the offline-update subprocess. The child script treats an empty refresh token as missing and exits with code 1, so device shutdown can silently fail to mark the device offline whenever the session lacks a refresh token. Validate sessionData.session.refresh_token before spawning and skip/fallback explicitly instead of passing ''. [logic error]

Severity Level: Major ⚠️

- ❌ Device shutdown path fails to mark DB offline.
- ⚠️ `mcp_devices` table keeps stale 'online' statuses.
- ⚠️ RemoteChannel.setOffline() reliability reduced when refresh_token null.

Steps of Reproduction ✅

1. Complete the device authorization flow where the backend returns a PollResponse without
a refresh_token field, which is explicitly supported by `PollResponse.refresh_token?:
string` in `src/remote-device/device-authenticator.ts:21-24`. In this case,
`pollForAuthorization()` at `device-authenticator.ts:112-24` constructs an `AuthSession`
with `refresh_token: data.refresh_token || null`, so refresh_token is stored as `null`.

2. Initialize the remote channel session using this AuthSession by calling
`RemoteChannel.setSession()` in `src/remote-device/remote-channel.ts:46-52`. The method
logs `has refresh_token: false` (line 48) and calls `this.client.auth.setSession({
access_token: session.access_token, refresh_token: session.refresh_token || '' })`,
establishing a Supabase client session where the refresh token is effectively
missing/empty.

3. Trigger a normal device shutdown by calling `Device.shutdown()` in
`src/remote-device/device.ts:3-37` (for example, running the device process and initiating
shutdown). The shutdown sequence logs "→ Marking device offline..." at `device.ts:25-27`
and invokes `await this.remoteChannel.setOffline(this.deviceId);` at `device.ts:28`.

4. Inside `RemoteChannel.setOffline()` in `src/remote-device/remote-channel.ts:21-76`, the
code calls `this.client.auth.getSession()` (line 31) and only validates
`sessionData?.session?.access_token` (line 33), not `refresh_token`. It then spawns the
blocking update script with:

   - `env.SUPABASE_ACCESS_TOKEN = sessionData.session.access_token` and

   - `env.SUPABASE_REFRESH_TOKEN = sessionData.session.refresh_token || ''` at line 453,
   which evaluates to an empty string when the session's refresh_token is null.

   The child script `src/remote-device/scripts/blocking-offline-update.js` reads these env
   vars at lines 18-20 and enforces `if (!deviceId || !supabaseUrl || !supabaseKey ||
   !accessToken || !refreshToken)` at line 22. An empty string `refreshToken` is falsy, so
   the script prints "❌ Missing required arguments" and exits with code 1 (line 25). Back
   in `setOffline()`, the parent sees `result.status === 1` and falls into the generic
   error branch at `remote-channel.ts:19-20` (offset 459-520 section), logging `❌ Update
   process failed with exit code: 1` but not updating `mcp_devices.status` to 'offline'.
   Thus, any shutdown executed with a session lacking a refresh token deterministically
   fails to mark the device offline.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** src/remote-device/remote-channel.ts
**Line:** 453:453
**Comment:**
	*Logic Error: `refresh_token` is nullable in this codebase, but this line coerces missing values to an empty string and still spawns the offline-update subprocess. The child script treats an empty refresh token as missing and exits with code 1, so device shutdown can silently fail to mark the device offline whenever the session lacks a refresh token. Validate `sessionData.session.refresh_token` before spawning and skip/fallback explicitly instead of passing `''`.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[sebastiondev]

Thanks both for the careful review — addressed in cd33546.

@CodeAnt-AI (remote-channel.ts L453, nullable refresh_token): Good catch. The previous refresh_token || '' coercion would have caused the subprocess to exit with code 1 and leave the device row silently marked online. Fixed by short-circuiting in setOffline() when sessionData.session.refresh_token is missing, with an explicit error log so the failure is visible. The env value is now passed through unmodified (no empty-string coercion).

@coderabbitai (test-cwe200-credential-exposure.js L46-54, L83-88): Agreed — the line-by-line check would miss multi-line destructures and camelCase renames. Tightened both blocks:

• Test 1 now strips comments, splits the script into statements (on ; and blank lines), and for any statement that references process.argv asserts that no token-name variant (accessToken/refreshToken/access_token/access-token/etc.) appears in that same statement. This catches multi-line destructures like const { accessToken } = ...process.argv... while still scoping the search to the actual argv-using statement (avoids false positives from unrelated nearby code).
• Test 2 (args-array check) now uses the unified /(accessToken|refreshToken|access_token|refresh_token)/i regex so camelCase variants in the spawn args array also fail the test.

All three tests still pass locally (node test/test-cwe200-credential-exposure.js).

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me verify the changes in the updated test file.

---

🏁 Script executed:

#!/bin/bash
# Check the current state of the test file
fd "test-cwe200-credential-exposure.js" --exec cat {}

Length of output: 4679

---

@sebastiondev: Thanks for the thorough follow-up. I've reviewed the updated test/test-cwe200-credential-exposure.js at commit cd33546 — both fixes look solid:

• Test 1 now strips comments first, then splits on ; / blank lines to operate at statement granularity, and applies the broad tokenRe (/\b(accessToken|refreshToken|access[_-]?token|refresh[_-]?token)\b/i) only to statements that actually reference process.argv. This correctly handles multi-line destructures and camelCase variants while avoiding false positives from unrelated nearby code.
• Test 3 (args-array check) now uses the unified /(accessToken|refreshToken|access_token|refresh_token)/i regex, so camelCase identifiers in the spawn args array would also trigger a failure. ✓

Both concerns are properly addressed. The fix looks good to me!

(∩˃o˂∩)♡

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[coderabbitai]

🧹 Nitpick comments (1)

test/test-cwe200-credential-exposure.js (1)

41-112: ⚡ Quick win

Replace the regex scan with a structural assertion.

This test only looks for specific token names in source text, so a refactor that leaks secrets through generic positional argv access could still pass. The raw-text parsing is also brittle around valid JS/TS syntax.

For a CWE-200 regression, verify the actual spawnSync argv/env shape via AST inspection or a focused stubbed execution test.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/test-cwe200-credential-exposure.js` around lines 41 - 112, The current
tests (especially the first and third in test-cwe200-credential-exposure.js)
rely on fragile regex/text scans (tokenRe, statements split, and ad-hoc
spawnSync parsing) which can be bypassed by positional argv usage; replace these
checks with a structural assertion: parse SCRIPT_PATH and CHANNEL_PATH with a
JS/TS parser (e.g., acorn/@babel/parser) and assert AST nodes that read
process.argv do not reference identifier names matching access/refresh tokens
and that spawnSync calls pass tokens via the options.env object (not in the
second argument array). Update the tests that reference process.argv, tokenRe,
statements, spawnSyncIdx, argsArrayMatch and optionsMatch to use AST traversal
(or a focused stubbed spawnSync execution) to verify argv vs env shapes instead
of raw regex matching.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/test-cwe200-credential-exposure.js`:
- Around line 41-112: The current tests (especially the first and third in
test-cwe200-credential-exposure.js) rely on fragile regex/text scans (tokenRe,
statements split, and ad-hoc spawnSync parsing) which can be bypassed by
positional argv usage; replace these checks with a structural assertion: parse
SCRIPT_PATH and CHANNEL_PATH with a JS/TS parser (e.g., acorn/@babel/parser) and
assert AST nodes that read process.argv do not reference identifier names
matching access/refresh tokens and that spawnSync calls pass tokens via the
options.env object (not in the second argument array). Update the tests that
reference process.argv, tokenRe, statements, spawnSyncIdx, argsArrayMatch and
optionsMatch to use AST traversal (or a focused stubbed spawnSync execution) to
verify argv vs env shapes instead of raw regex matching.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 337a3f4e-e76d-48e9-a5aa-99d9f543956f

📥 Commits

Reviewing files that changed from the base of the PR and between bb221fa and cd33546.

📒 Files selected for processing (2)

• src/remote-device/remote-channel.ts
• test/test-cwe200-credential-exposure.js

🚧 Files skipped from review as they are similar to previous changes (1)

• src/remote-device/remote-channel.ts