fix(security): eliminate shell injection and add input validation

Replace unsafe string interpolation in aria2 RPC JSON construction with jq --arg for proper escaping. Add magnet URL format validation to reject arbitrary input. Refactor detect-client.sh JSON output to use jq. Add CI security check to prevent regression. Resolves VirusTotal "Suspicious" classification caused by the shell injection vulnerability in add-torrent.sh.
2026-02-15 10:46:34 +01:00 · 2026-02-15 10:46:34 +01:00 · d3d6c702ed
commit d3d6c702ed
parent 5d409c4a66
6 changed files with 73 additions and 25 deletions
--- a/scripts/add-torrent.sh
+++ b/scripts/add-torrent.sh
@ -44,6 +44,13 @@ if [ -z "$magnet_url" ]; then
  exit 1
 fi

+# --- Validate magnet URL format ---
+if [[ ! "$magnet_url" =~ ^magnet:\?xt=urn:btih:[a-fA-F0-9]{40} ]] && \
+   [[ ! "$magnet_url" =~ ^magnet:\?xt=urn:btih:[a-zA-Z2-7]{32} ]]; then
+  echo "Error: Invalid magnet URL format. Expected: magnet:?xt=urn:btih:<hash>" >&2
+  exit 1
+fi
+
 # --- Auto-detect client if not specified ---
 if [ -z "$client" ]; then
  if command -v transmission-remote >/dev/null 2>&1; then
@ -76,11 +83,14 @@ case "$client" in
    # Check if aria2 RPC is running
    if curl -sf http://localhost:6800/jsonrpc -d '{"jsonrpc":"2.0","id":"test","method":"aria2.getVersion"}' >/dev/null 2>&1; then
      echo "Adding to aria2 via RPC..."
-      dir_param=""
      if [ -n "$download_dir" ]; then
-        dir_param=",{\"dir\":\"$download_dir\"}"
+        payload=$(jq -n --arg url "$magnet_url" --arg dir "$download_dir" \
+          '{"jsonrpc":"2.0","id":"add","method":"aria2.addUri","params":[[$url],{"dir":$dir}]}')
+      else
+        payload=$(jq -n --arg url "$magnet_url" \
+          '{"jsonrpc":"2.0","id":"add","method":"aria2.addUri","params":[[$url]]}')
      fi
-      result=$(curl -sf http://localhost:6800/jsonrpc -d "{\"jsonrpc\":\"2.0\",\"id\":\"add\",\"method\":\"aria2.addUri\",\"params\":[[\"$magnet_url\"]$dir_param]}")
+      result=$(curl -sf http://localhost:6800/jsonrpc -d "$payload")
      if echo "$result" | grep -q '"result"'; then
        echo "Torrent added to aria2 successfully."
      else
--- a/scripts/detect-client.sh
+++ b/scripts/detect-client.sh
@ -73,24 +73,34 @@ elif [ "$aria2_installed" = "true" ]; then
 fi

 # --- JSON Output ---
-cat <<EOF
-{
-  "os": "$os_name",
-  "distro": "$distro",
-  "clients": {
-    "transmission": {
-      "installed": $transmission_installed,
-      "path": $([ -n "$transmission_path" ] && echo "\"$transmission_path\"" || echo "null"),
-      "variant": "$transmission_variant",
-      "remoteAvailable": $transmission_remote_available,
-      "daemonRunning": $transmission_daemon
+jq -n \
+  --arg os "$os_name" \
+  --arg distro "$distro" \
+  --argjson t_installed "$transmission_installed" \
+  --arg t_path "${transmission_path:-}" \
+  --arg t_variant "$transmission_variant" \
+  --argjson t_remote "$transmission_remote_available" \
+  --argjson t_daemon "$transmission_daemon" \
+  --argjson a_installed "$aria2_installed" \
+  --arg a_path "${aria2_path:-}" \
+  --argjson a_daemon "$aria2_daemon" \
+  --arg preferred "$preferred" \
+  '{
+    os: $os,
+    distro: $distro,
+    clients: {
+      transmission: {
+        installed: $t_installed,
+        path: (if $t_path == "" then null else $t_path end),
+        variant: $t_variant,
+        remoteAvailable: $t_remote,
+        daemonRunning: $t_daemon
+      },
+      aria2: {
+        installed: $a_installed,
+        path: (if $a_path == "" then null else $a_path end),
+        daemonRunning: $a_daemon
+      }
    },
-    "aria2": {
-      "installed": $aria2_installed,
-      "path": $([ -n "$aria2_path" ] && echo "\"$aria2_path\"" || echo "null"),
-      "daemonRunning": $aria2_daemon
-    }
-  },
-  "preferred": "$preferred"
-}
-EOF
+    preferred: $preferred
+  }'