From 3a554e21c7f8ec1f9df028b31686c1b2d0973551 Mon Sep 17 00:00:00 2001
From: Gonza Montiel <gon.montiel@gmail.com>
Date: Tue, 10 Feb 2026 00:05:40 -0300
Subject: [PATCH] fix: avoid passing private key by command line

---
 test/cli/handlers/contracts/upgrade.ts | 14 +++++---------
 test/scripts/fund-validators.ts        | 12 +++++++++---
 test/scripts/update-validator-set.ts   |  9 +++++++--
 3 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/test/cli/handlers/contracts/upgrade.ts b/test/cli/handlers/contracts/upgrade.ts
index d64ec0d7..9ef098e1 100644
--- a/test/cli/handlers/contracts/upgrade.ts
+++ b/test/cli/handlers/contracts/upgrade.ts
@@ -206,9 +206,9 @@ const deployServiceManagerImplementation = async (
 
   const actualDeployments = await parseDeploymentsFile(chain);
 
-  // Use environment variables to avoid command injection
-  // Note: Private key is passed via environment variable as required by forge
-  // This is a known limitation of the forge toolchain
+  // Use environment variables to avoid command injection and process list exposure
+  // Note: Private key is passed via PRIVATE_KEY environment variable (not command-line)
+  // to prevent it from appearing in system process lists (security best practice)
   const env = {
     ...process.env,
     PRIVATE_KEY: privateKey,
@@ -226,8 +226,6 @@ const deployServiceManagerImplementation = async (
     "deployServiceManagerImpl()",
     "--rpc-url",
     rpcUrl,
-    "--private-key",
-    privateKey,
     "--broadcast",
     "--non-interactive"
   ];
@@ -296,8 +294,8 @@ const updateServiceManagerProxyWithVersion = async (
 ) => {
   logger.info(`🔄 Updating ServiceManager proxy and setting version to ${version}...`);
 
-  // Note: Private key is passed via environment variable as required by forge
-  // This is a known limitation of the forge toolchain
+  // Note: Private key is passed via PRIVATE_KEY environment variable (not command-line)
+  // to prevent it from appearing in system process lists (security best practice)
   const proxyAdmin = (deployments as any).ProxyAdmin ?? process.env.PROXY_ADMIN;
   if (!proxyAdmin) {
     throw new Error(
@@ -322,8 +320,6 @@ const updateServiceManagerProxyWithVersion = async (
     "updateServiceManagerProxyWithVersion()",
     "--rpc-url",
     rpcUrl,
-    "--private-key",
-    privateKey,
     "--broadcast",
     "--non-interactive"
   ];
diff --git a/test/scripts/fund-validators.ts b/test/scripts/fund-validators.ts
index f7ffefd6..c44e4e51 100644
--- a/test/scripts/fund-validators.ts
+++ b/test/scripts/fund-validators.ts
@@ -160,10 +160,13 @@ export const fundValidators = async (options: FundValidatorsOptions): Promise<bo
     const ethTransferAmount = BigInt(creatorEthBalance) / BigInt(100); // 1% of the balance
     logger.debug(`Transferring ${erc20TransferAmount} tokens to each validator`);
 
+    // Security Note: Private keys are passed via stdin with --interactive flag
+    // using printf (not echo) to avoid command-line exposure in process lists
     for (const validator of validators) {
       if (validator.publicKey !== tokenCreator) {
-        const transferCmd = `${castExecutable} send --private-key ${creatorPrivateKey} ${underlyingTokenAddress} "transfer(address,uint256)" ${validator.publicKey} ${erc20TransferAmount} --rpc-url ${rpcUrl}`;
+        const transferCmd = `printf '%s\\n' "\${PRIVATE_KEY}" | ${castExecutable} send --interactive ${underlyingTokenAddress} "transfer(address,uint256)" ${validator.publicKey} ${erc20TransferAmount} --rpc-url ${rpcUrl}`;
         const { exitCode: transferExitCode, stderr: transferStderr } = await $`sh -c ${transferCmd}`
+          .env({ ...process.env, PRIVATE_KEY: creatorPrivateKey })
           .nothrow()
           .quiet();
         if (transferExitCode !== 0) {
@@ -196,9 +199,12 @@ export const fundValidators = async (options: FundValidatorsOptions): Promise<bo
 
         // Transfer ETH only if the validator has no ETH
         if (BigInt(validatorEthBalance) === BigInt(0)) {
-          const ethTransferCmd = `${castExecutable} send --private-key ${creatorPrivateKey} ${validator.publicKey} --value ${ethTransferAmount} --rpc-url ${rpcUrl}`;
+          const ethTransferCmd = `printf '%s\\n' "\${PRIVATE_KEY}" | ${castExecutable} send --interactive ${validator.publicKey} --value ${ethTransferAmount} --rpc-url ${rpcUrl}`;
           const { exitCode: ethTransferExitCode, stderr: ethTransferStderr } =
-            await $`sh -c ${ethTransferCmd}`.nothrow().quiet();
+            await $`sh -c ${ethTransferCmd}`
+              .env({ ...process.env, PRIVATE_KEY: creatorPrivateKey })
+              .nothrow()
+              .quiet();
           if (ethTransferExitCode !== 0) {
             logger.error(
               `Failed to transfer ETH to validator ${validator.publicKey}: ${ethTransferStderr.toString()}`
diff --git a/test/scripts/update-validator-set.ts b/test/scripts/update-validator-set.ts
index 26b9064f..2665a936 100644
--- a/test/scripts/update-validator-set.ts
+++ b/test/scripts/update-validator-set.ts
@@ -45,16 +45,21 @@ export const updateValidatorSet = async (options: UpdateValidatorSetOptions): Pr
   const serviceManagerAddress = deployments.ServiceManager;
   invariant(serviceManagerAddress, "ServiceManager address not found in deployments");
 
+  // Security Note: Private key is passed via stdin with --interactive flag
+  // using printf to avoid command-line exposure in process lists (security best practice)
   // Using cast to send the transaction
   const executionFee = "100000000000000000"; // 0.1 ETH
   const relayerFee = "200000000000000000"; // 0.2 ETH
   const value = "300000000000000000"; // 0.3 ETH (sum of fees)
 
-  const sendCommand = `${castExecutable} send --private-key ${ownerPrivateKey} --value ${value} ${serviceManagerAddress} "sendNewValidatorSet(uint128,uint128)" ${executionFee} ${relayerFee} --rpc-url ${rpcUrl}`;
+  const sendCommand = `printf '%s\\n' "\${PRIVATE_KEY}" | ${castExecutable} send --interactive --value ${value} ${serviceManagerAddress} "sendNewValidatorSet(uint128,uint128)" ${executionFee} ${relayerFee} --rpc-url ${rpcUrl}`;
 
   logger.debug(`Running command: ${sendCommand}`);
 
-  const { exitCode, stderr } = await $`sh -c ${sendCommand}`.nothrow().quiet();
+  const { exitCode, stderr } = await $`sh -c ${sendCommand}`
+    .env({ ...process.env, PRIVATE_KEY: ownerPrivateKey })
+    .nothrow()
+    .quiet();
 
   if (exitCode !== 0) {
     logger.error(`Failed to send validator set: ${stderr.toString()}`);