fix(security): eliminate shell injection and add input validation
Replace unsafe string interpolation in aria2 RPC JSON construction with jq --arg for proper escaping. Add magnet URL format validation to reject arbitrary input. Refactor detect-client.sh JSON output to use jq. Add CI security check to prevent regression. Resolves VirusTotal "Suspicious" classification caused by the shell injection vulnerability in add-torrent.sh.
This commit is contained in:
Deivid Soto
parent
5d409c4a66
commit
d3d6c702ed
6 changed files with 73 additions and 25 deletions
10
CHANGELOG.md
10
CHANGELOG.md
|
|
@ -2,6 +2,16 @@
|
|||
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
## [0.1.16] - 2026-02-14
|
||||
|
||||
### Security
|
||||
|
||||
- Fix shell injection vulnerability in aria2 RPC JSON construction (add-torrent.sh)
|
||||
- Add magnet URL format validation before passing to torrent clients
|
||||
- Replace shell string interpolation with `jq --arg` for safe JSON construction
|
||||
- Refactor detect-client.sh JSON output to use `jq` instead of heredoc interpolation
|
||||
- Add CI security pattern check to prevent unsafe curl payload regression
|
||||
|
||||
## [0.1.13] - 2026-02-13
|
||||
|
||||
### Features
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue