Description
In 01-features/02-host-your-agent/01-runtime/04-coding-agents/03-code-agents-competition-e2e/coding_agents/kiro/run.sh, the prompt is passed directly to kiro-cli without a -- end-of-options separator:
case "$ACTION" in
interactive) exec kiro-cli ;;
chat) exec kiro-cli chat --no-interactive --trust-all-tools "$PROMPT" ;;
*) exec kiro-cli "$ACTION" "$PROMPT" ;;
esac
Since the prompt originates from an HTTP request body (via healthcheck.py or connect.py), an attacker can inject arbitrary kiro-cli flags by sending a prompt that starts with --. For example:
# POST /invocations with {"prompt": "--version"}
# Results in:
kiro-cli chat --no-interactive --trust-all-tools --version
# ^^^^^^^^^ interpreted as a flag, not text
This is argv flag smuggling: untrusted input is parsed as options because the data plane (prompt) and control plane (flags) share the same argv list without a boundary.
Steps to Reproduce
# Mock kiro-cli to show how args are parsed:
cat > /tmp/kiro-cli << 'EOF'
#!/usr/bin/env bash
echo "kiro-cli called with:"; i=0; for a in "$@"; do echo " [$i] $a"; ((i++)); done
EOF
chmod +x /tmp/kiro-cli
export PATH="/tmp:$PATH"
# Simulate the launcher:
PROMPT="--version"
kiro-cli chat --no-interactive --trust-all-tools "$PROMPT"
# Output: [3] --version ← parsed as option, not positional text
Suggested Fix
Add -- before "$PROMPT":
case "$ACTION" in
interactive) exec kiro-cli ;;
chat) exec kiro-cli chat --no-interactive --trust-all-tools -- "$PROMPT" ;;
*) exec kiro-cli "$ACTION" -- "$PROMPT" ;;
esac
The -- signals end-of-options per POSIX convention. Everything after it is treated as positional text regardless of leading dashes.
Severity
Medium — reachable by anyone who can POST to /invocations with an arbitrary prompt. The agent already runs with --trust-all-tools, so injecting additional flags could alter execution behavior.
Description
In
01-features/02-host-your-agent/01-runtime/04-coding-agents/03-code-agents-competition-e2e/coding_agents/kiro/run.sh, the prompt is passed directly tokiro-cliwithout a--end-of-options separator:Since the prompt originates from an HTTP request body (via
healthcheck.pyorconnect.py), an attacker can inject arbitrarykiro-cliflags by sending a prompt that starts with--. For example:This is argv flag smuggling: untrusted input is parsed as options because the data plane (prompt) and control plane (flags) share the same argv list without a boundary.
Steps to Reproduce
Suggested Fix
Add
--before"$PROMPT":The
--signals end-of-options per POSIX convention. Everything after it is treated as positional text regardless of leading dashes.Severity
Medium — reachable by anyone who can POST to
/invocationswith an arbitrary prompt. The agent already runs with--trust-all-tools, so injecting additional flags could alter execution behavior.