[BUG] Shell injection via heredoc delimiter TESTSCRIPT in run_test()

[Cute0110]

Project

term-challenge

Description

The run_test() function writes test scripts to containers using a heredoc with a fixed delimiter TESTSCRIPT that can be exploited for shell injection if the test script contains that string.

Error Observation

If a test script contains the string "TESTSCRIPT", it prematurely terminates the heredoc and allows arbitrary command execution.

Error Message

Debug Logs

System Information

Version: 0.1.0

## Operating System
  OS: Ubuntu 24.04.3 LTS
  Kernel: 6.8.0-79-generic
  Arch: x86_64

## Hardware
  CPU: AMD Ryzen 9 5950X 16-Core Processor (4 cores)
  RAM: 11 GB

## Build Environment
  Rust: rustc 1.92.0 (ded5c06cf 2025-12-08)
  Target: x86_64

Screenshots

No response

Steps to Reproduce

1. Open src/container/docker.rs
2. Examine lines 423-434:

pub async fn run_test(&self, test_script: &str) -> Result<ExecResult> {
    let write_result = self
        .exec(&[
            "sh",
            "-c",
            &format!(
                "cat > /tmp/test.sh << 'TESTSCRIPT'\n{}\nTESTSCRIPT\nchmod +x /tmp/test.sh",
                test_script  // DIRECTLY INTERPOLATED
            ),
        ])
        .await?;

3. Submit a test script containing:

echo test
TESTSCRIPT
malicious_command
cat << 'TESTSCRIPT'

### Expected Behavior

Should use base64 encoding like `inject_agent_code()` does (line 564).


### Actual Behavior

The heredoc delimiter can be injected, allowing arbitrary shell command execution.

### Additional Context

The codebase already has a secure pattern for this in `inject_agent_code()`.

[echobt]

Issue validated. The reported problem has been confirmed in the codebase. A Pull Request with the fix has been submitted: PlatformNetwork/term-challenge#80.