Unactioned Review Feedback
Source PR: #318
File: inc/integrations/host-providers/class-laravel-forge-host-provider.php
Reviewers: coderabbit
Findings: 1
Max severity: medium
MEDIUM: coderabbit (coderabbitai[bot])
File: inc/integrations/host-providers/class-laravel-forge-host-provider.php:743
⚠️ Potential issue | 🟠 Major
Validate domain input before using in shell commands to prevent command injection.
The generated deploy command uses rm -rf with the domain name directly interpolated. While WordPress likely validates domain names, an attacker-controlled domain value could potentially contain shell metacharacters, leading to command injection.
Ensure the domain is properly validated and escaped before use in shell commands:
🔒 Proposed security fix
} elseif (defined('WU_FORGE_SYMLINK_TARGET') && WU_FORGE_SYMLINK_TARGET) {
// Build symlink command if target is specified.
+ // Validate domain to prevent command injection
+ if (!preg_match('/^[a-z0-9][a-z0-9\-\.]*[a-z0-9]$/i', $domain)) {
+ wu_log_add(
+ 'integration-forge',
+ sprintf('Invalid domain format for shell command: %s', $domain),
+ LogLevel::ERROR
+ );
+ return '';
+ }
+
$target = str_replace('{domain}', $domain, WU_FORGE_SYMLINK_TARGET);
$command = sprintf(
- 'rm -rf /home/forge/%s/* && ln -s %s /home/forge/%s/public',
- $domain,
- $target,
- $domain
+ 'rm -rf %s && ln -s %s %s',
+ escapeshellarg('/home/forge/' . $domain . '/*'),
+ escapeshellarg($target),
+ escapeshellarg('/home/forge/' . $domain . '/public')
);
}
Committable suggestion skipped: line range outside the PR's diff.
Auto-generated by quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.
Unactioned Review Feedback
Source PR: #318
File:
inc/integrations/host-providers/class-laravel-forge-host-provider.phpReviewers: coderabbit
Findings: 1
Max severity: medium
MEDIUM: coderabbit (coderabbitai[bot])
File:
⚠️ Potential issue | 🟠 Major
inc/integrations/host-providers/class-laravel-forge-host-provider.php:743Validate domain input before using in shell commands to prevent command injection.
The generated deploy command uses
rm -rfwith the domain name directly interpolated. While WordPress likely validates domain names, an attacker-controlled domain value could potentially contain shell metacharacters, leading to command injection.Ensure the domain is properly validated and escaped before use in shell commands:
🔒 Proposed security fix
} elseif (defined('WU_FORGE_SYMLINK_TARGET') && WU_FORGE_SYMLINK_TARGET) { // Build symlink command if target is specified. + // Validate domain to prevent command injection + if (!preg_match('/^[a-z0-9][a-z0-9\-\.]*[a-z0-9]$/i', $domain)) { + wu_log_add( + 'integration-forge', + sprintf('Invalid domain format for shell command: %s', $domain), + LogLevel::ERROR + ); + return ''; + } + $target = str_replace('{domain}', $domain, WU_FORGE_SYMLINK_TARGET); $command = sprintf( - 'rm -rf /home/forge/%s/* && ln -s %s /home/forge/%s/public', - $domain, - $target, - $domain + 'rm -rf %s && ln -s %s %s', + escapeshellarg('/home/forge/' . $domain . '/*'), + escapeshellarg($target), + escapeshellarg('/home/forge/' . $domain . '/public') ); }View comment
Auto-generated by
quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.