fix(security): eliminate shell injection and add input validation
Replace unsafe string interpolation in aria2 RPC JSON construction with jq --arg for proper escaping. Add magnet URL format validation to reject arbitrary input. Refactor detect-client.sh JSON output to use jq. Add CI security check to prevent regression. Resolves VirusTotal "Suspicious" classification caused by the shell injection vulnerability in add-torrent.sh.
This commit is contained in:
Deivid Soto
parent
5d409c4a66
commit
d3d6c702ed
6 changed files with 73 additions and 25 deletions
18
.github/workflows/ci.yml
vendored
18
.github/workflows/ci.yml
vendored
|
|
@ -51,3 +51,21 @@ jobs:
|
|||
|
||||
- name: Run ShellCheck
|
||||
run: shellcheck scripts/*.sh
|
||||
|
||||
security-check:
|
||||
name: Security patterns check
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Check for unsafe string interpolation in curl payloads
|
||||
run: |
|
||||
# Flag inline JSON in double quotes (allows shell interpolation).
|
||||
# Safe patterns: curl -d '{}' (single quotes) or curl -d "$var" (pre-built payload).
|
||||
if grep -rPn 'curl.*-d\s*"[{]' scripts/*.sh; then
|
||||
echo ""
|
||||
echo "ERROR: Found curl -d with inline JSON in double quotes."
|
||||
echo "Use jq --arg to build JSON safely and pass via variable."
|
||||
exit 1
|
||||
fi
|
||||
echo "No unsafe curl patterns found."
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue