security/acme-client SFTP Upload of wildcard Certs

[martinjgrunwald]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [x] The title contains the plugin to which this issue belongs

Describe the bug I used the "Upload Certificate via SFTP" automation to upload my wildcard certificate from the OPNsense to an ubuntu machine. The folder on the ubuntu machine was not named correctly. Instead of the folder name starting with * it instead started with -. So the folder name was -.example.org instead of *.examle.org

To Reproduce Steps to reproduce the behavior:

1. Upload a wildcard cert to an Ubuntu machine using the "Upload Certificate via SFTP" automation
2. A folder named -.example.org appears

Expected behavior A folder named *.example.org should appear on the Ubuntu machine

Environment OPNsense 23.1.6-amd64 os-acme-client 3.16

[jkellerer]

This is caused by input sanitization: https://github.com/opnsense/plugins/blob/c8a3470cda9ca7e160af962cf9b0a524cca4e05e/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php#L423

However I think potential unsafe chars shouldn’t be allowed. Asterisk is valid in folder/filenames but dealing with it can be dangerous as it may expand to multiple paths when referencing the folder, depending on how and where it is used.