fnpanic
commented
2 years ago or is this already done by script-server?
https://github.com/bugy/script-server/wiki#shell-commands-injection
Closed fnpanic closed 2 years ago
fnpanic
commented
2 years ago or is this already done by script-server?
https://github.com/bugy/script-server/wiki#shell-commands-injection
bugy
commented
2 years ago Hi @fnpanic yes, shell injection should not be possible (on Linux/mac os) Unless you explicitly enable it by using "shell: true"
fnpanic
commented
2 years ago Thanks for the clarification! This can be closed then.
Hi,
the parameter type ip is great because it saves the sanity checking for this input.
It would also be great to have this for text. So you could forbid the usage of ' or \ or a space for example to avoid someone getting a shell on the box if the script is not filtering it properly.
it is only to filter any shell injecting at the frontend level. Maybe there is a smart way to do this in bash already i am not aware of.
In any case it would be handy to just limit an input to alpha numeric chars and for example . and -. Including language specific chars can also be easily be extended with an allow list (e.g. ä ü ö).