Skip to content

refactor: sanitize shell arguments in WireGuard update script#2197

Closed
elibosley wants to merge 3 commits into
masterfrom
fix/escape-shell-args-wireguard
Closed

refactor: sanitize shell arguments in WireGuard update script#2197
elibosley wants to merge 3 commits into
masterfrom
fix/escape-shell-args-wireguard

Conversation

@elibosley

@elibosley elibosley commented May 20, 2025

Copy link
Copy Markdown
Member

Updated the update.wireguard.php script to use escapeshellarg for all shell command arguments, enhancing security by preventing command injection vulnerabilities. This change affects various functions including isPort, carrier, thisNet, and others that execute system commands.

Summary by CodeRabbit

  • Bug Fixes
    • Enhanced security by escaping shell command arguments across multiple plugins and scripts to prevent injection vulnerabilities.
    • Sanitized user inputs and filenames to avoid path traversal and command injection issues.
  • Style
    • Standardized translation string formatting for consistency.

Updated the update.wireguard.php script to use escapeshellarg for all shell command arguments, enhancing security by preventing command injection vulnerabilities. This change affects various functions including isPort, carrier, thisNet, and others that execute system commands.
@coderabbitai

coderabbitai Bot commented May 20, 2025

Copy link
Copy Markdown
Contributor

"""

Walkthrough

The update applies escapeshellarg() and input sanitization consistently across multiple plugin scripts and internal functions to escape shell command arguments and file paths. This includes variables used in exec(), popen(), file_exists(), glob(), and other shell-related operations. Filenames and inputs are sanitized to prevent shell injection and path traversal vulnerabilities. No control flow or functional logic changes are introduced.

Changes

File(s) Change Summary
emhttp/plugins/dynamix/include/update.wireguard.php, emhttp/plugins/dynamix/scripts/netconfig Applied escapeshellarg() to all shell command arguments and file paths; sanitized peer filenames; standardized string quoting.
emhttp/plugins/dynamix.docker.manager/include/DockerContainers.php, emhttp/plugins/dynamix.docker.manager/include/Helpers.php Escaped shell command arguments in Docker exec and wget commands; wrapped commands with escapeshellcmd() in popen calls.
emhttp/plugins/dynamix.plugin.manager/include/UnraidUpdateCancel.php Wrapped symlink target path with escapeshellarg().
emhttp/plugins/dynamix.plugin.manager/scripts/language, emhttp/plugins/dynamix.plugin.manager/scripts/multiplugin, emhttp/plugins/dynamix.plugin.manager/scripts/plugin Escaped all shell command arguments including paths, URLs, methods, and plugin arguments in exec and popen calls.
emhttp/plugins/dynamix/include/FileSystemStatus.php, emhttp/plugins/dynamix/include/Helpers.php Escaped directory and path variables in shell commands (ps, zpool, btrfs, stat, zfs).
emhttp/plugins/dynamix/include/OpenTerminal.php Sanitized and escaped all dynamic inputs used in shell commands such as socket paths, PIDs, container names, and file paths.
emhttp/plugins/dynamix/include/ProcessStatus.php Escaped device names used within awk patterns in shell commands.
emhttp/plugins/dynamix/include/SMTPtest.php Cast PIDs to integer and escaped them before use in shell commands (ps, kill).
emhttp/plugins/dynamix/include/SmartInfo.php Sanitized filenames to prevent directory traversal; escaped filenames in shell commands for saving and deleting.
emhttp/plugins/dynamix/include/StartCommand.php Escaped posted kill PIDs before executing kill commands.
emhttp/plugins/dynamix/include/SysDevs.php Escaped all dynamic shell command arguments such as USB bus/device numbers, device names, PCI addresses, and interfaces.
emhttp/plugins/dynamix/nchan/file_manager Escaped wildcard and variables in shell commands for file deletion, ownership, permissions, and killing processes.
emhttp/plugins/dynamix/scripts/diagnostics Refactored shareDisks function to use a local variable for the share path in exec calls.

Possibly related PRs

  • Miscellaneous fixes #2175: Modifies update.wireguard.php with similar shell argument escaping and network device checks, indicating a direct code-level connection.

Suggested labels

7.2

Poem

In the warren of code, a rabbit did hop,
Escaping the shells, making injections stop.
With careful arg wraps for every device,
The commands now run safe and nice.
Hopping through paths with a secure little cheer,
The rabbit declares: "No more exploits here!" 🐇✨
"""


🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between 4cc2b7f and ce35b65.

📒 Files selected for processing (18)
  • emhttp/plugins/dynamix.docker.manager/include/DockerContainers.php (2 hunks)
  • emhttp/plugins/dynamix.docker.manager/include/Helpers.php (1 hunks)
  • emhttp/plugins/dynamix.plugin.manager/include/UnraidUpdateCancel.php (1 hunks)
  • emhttp/plugins/dynamix.plugin.manager/scripts/language (4 hunks)
  • emhttp/plugins/dynamix.plugin.manager/scripts/multiplugin (1 hunks)
  • emhttp/plugins/dynamix.plugin.manager/scripts/plugin (2 hunks)
  • emhttp/plugins/dynamix/include/FileSystemStatus.php (1 hunks)
  • emhttp/plugins/dynamix/include/Helpers.php (1 hunks)
  • emhttp/plugins/dynamix/include/OpenTerminal.php (2 hunks)
  • emhttp/plugins/dynamix/include/ProcessStatus.php (1 hunks)
  • emhttp/plugins/dynamix/include/SMTPtest.php (1 hunks)
  • emhttp/plugins/dynamix/include/SmartInfo.php (1 hunks)
  • emhttp/plugins/dynamix/include/StartCommand.php (1 hunks)
  • emhttp/plugins/dynamix/include/SysDevs.php (7 hunks)
  • emhttp/plugins/dynamix/include/update.wireguard.php (15 hunks)
  • emhttp/plugins/dynamix/nchan/file_manager (3 hunks)
  • emhttp/plugins/dynamix/scripts/diagnostics (1 hunks)
  • emhttp/plugins/dynamix/scripts/netconfig (1 hunks)
✅ Files skipped from review due to trivial changes (2)
  • emhttp/plugins/dynamix/include/Helpers.php
  • emhttp/plugins/dynamix/scripts/diagnostics
🚧 Files skipped from review as they are similar to previous changes (1)
  • emhttp/plugins/dynamix/include/update.wireguard.php
🧰 Additional context used
🧬 Code Graph Analysis (2)
emhttp/plugins/dynamix.docker.manager/include/Helpers.php (1)
emhttp/plugins/dynamix/include/OpenTerminal.php (1)
  • command (40-43)
emhttp/plugins/dynamix/include/OpenTerminal.php (2)
emhttp/plugins/dynamix/include/Secure.php (1)
  • unbundle (23-25)
emhttp/plugins/dynamix.docker.manager/include/DockerClient.php (1)
  • docker (1135-1138)
⏰ Context from checks skipped due to timeout of 90000ms (1)
  • GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (44)
emhttp/plugins/dynamix/scripts/netconfig (1)

44-49: Security improvement through consistent escaping of shell arguments

The updates to the update_wireguard function now apply escapeshellarg() to all variables used in shell commands. This properly sanitizes inputs for grep, sed, and wg-quick commands, preventing potential command injection vulnerabilities.

emhttp/plugins/dynamix/include/SMTPtest.php (2)

33-36: Enhanced security by proper type casting and escaping

Good security improvement by explicitly casting $pid to an integer and then escaping it with escapeshellarg(). This dual-layer approach ensures the value is both numerically valid and properly escaped when used in the ps command.


39-41: Enhanced security by proper type casting and escaping

Similar to the previous improvement, this code now properly casts the process ID to an integer and escapes it with escapeshellarg() before using it in the kill command, preventing command injection.

emhttp/plugins/dynamix.docker.manager/include/Helpers.php (1)

630-631: Security enhancement using escapeshellcmd

Good improvement by applying escapeshellcmd() to the entire command string before passing it to popen(). This protects against shell injection vulnerabilities by escaping potentially dangerous characters in the command.

emhttp/plugins/dynamix.plugin.manager/scripts/multiplugin (1)

44-44: Good security improvement: Shell command arguments properly escaped

The added escapeshellarg() function properly sanitizes both the $method and $pluginArg variables before they're passed to the shell via popen(). This prevents potential command injection vulnerabilities where malicious input could execute arbitrary commands.

emhttp/plugins/dynamix.plugin.manager/scripts/language (6)

184-184: Good security improvement: Directory path properly escaped

The escapeshellarg() function properly sanitizes the $path variable before it's passed to mkdir -p via exec(). This prevents potential directory traversal or command injection attacks through malicious path input.


187-187: Good security improvement: Unzip command arguments properly escaped

Both the destination path ($path) and archive file ($save) are now properly escaped with escapeshellarg() before being passed to the unzip command. This prevents command injection vulnerabilities.


190-190: Good security improvement: rm -rf command path properly escaped

The escapeshellarg() function sanitizes the $path variable before it's passed to the dangerous rm -rf command. This is especially critical since improper escaping could lead to deletion of unintended files.


199-199: Good security improvement: rm -rf command path properly escaped

Similar to the previous instance, the $path variable is properly escaped before being passed to rm -rf, preventing potential command injection vulnerabilities during language removal.


246-246: Good security improvement: Language name properly escaped

The language name ($name) is now properly escaped with escapeshellarg() when recursively executing the script. This prevents command injection vulnerabilities when checking language packs.


268-268: Good security improvement: Language name properly escaped

The language name ($name) is now properly escaped with escapeshellarg() when recursively executing the update command. This prevents command injection vulnerabilities when updating language packs.

emhttp/plugins/dynamix/include/StartCommand.php (1)

22-22: Good security improvement: User input properly escaped

The $_POST['kill'] variable (coming directly from user input) is now properly escaped with escapeshellarg() before being passed to the kill command. This is critical since user input from web requests is a common attack vector for command injection vulnerabilities.

emhttp/plugins/dynamix.docker.manager/include/DockerContainers.php (3)

56-56: Good security improvement: Container name properly escaped

The Docker container name ($name) is now properly escaped with escapeshellarg() before being passed to docker exec. This prevents command injection vulnerabilities when executing commands in Docker containers.


71-71: Good security improvement: File path and URL properly escaped

Both the output file path ($file) and URL ($url) are now properly escaped with escapeshellarg() before being passed to the wget command. This prevents command injection vulnerabilities during file downloads.


76-76: Good security improvement: File path and URL properly escaped

Consistent with the previous instance, both the output file path ($file) and URL ($url) are properly escaped with escapeshellarg() when refreshing the downloaded file. This maintains security throughout the code path.

emhttp/plugins/dynamix/include/ProcessStatus.php (1)

26-27: Excellent security improvement for device input handling

The changes properly sanitize the device input by escaping it before use in shell commands. This prevents command injection vulnerabilities where an attacker could potentially insert malicious shell commands through the $_POST['device'] parameter.

emhttp/plugins/dynamix/include/SmartInfo.php (2)

247-249: Good security improvement for file path sanitization

This change properly sanitizes user-supplied filenames by:

  1. Removing potentially dangerous characters with preg_replace
  2. Using basename() to prevent directory traversal attacks
  3. Using escapeshellarg() to properly escape the filename for shell command usage

This effectively prevents both directory traversal and command injection vulnerabilities.


253-256: Proper path validation for deletion operation

The code now sanitizes the filename before deletion and adds an additional safety check using realpath() to verify the file is within the expected /var/tmp/ directory. This prevents directory traversal attacks that could lead to unauthorized file deletion.

emhttp/plugins/dynamix/include/FileSystemStatus.php (2)

24-26: Secure handling of path variables in shell commands

The code now properly escapes the $path variable in both the ps and zpool status commands, preventing potential command injection vulnerabilities.


31-32: Properly escaped path in btrfs command

The $path variable is now correctly escaped using escapeshellarg() when passed to the btrfs command, which prevents command injection vulnerabilities.

emhttp/plugins/dynamix/nchan/file_manager (4)

141-142: Secure handling of wildcard in find command

The wildcard * is now properly escaped using escapeshellarg(), preventing potential shell injection vulnerabilities in the find command.


200-201: Secure parameter handling in chown command

The $target parameter is now properly escaped with escapeshellarg() before being used in the chown command, preventing command injection vulnerabilities.


207-208: Secure parameter handling in chmod command

The $target parameter is now properly escaped with escapeshellarg() before being used in the chmod command, preventing command injection vulnerabilities.


218-219: Secure PID handling in kill command

The $pid variable is now properly escaped with escapeshellarg() before being used in the kill command, preventing potential command injection vulnerabilities.

emhttp/plugins/dynamix.plugin.manager/scripts/plugin (5)

242-242: Improve security by escaping shell arguments in download function

The addition of escapeshellarg() to sanitize the $name and $url parameters in the wget command properly protects against command injection vulnerabilities.


463-464: Properly escape plugin run command and attributes

The use of escapeshellcmd() for the Run attribute protects against potential command injection attacks when executing plugin commands.


466-467: Properly escape file name in command execution

Escaping the $name parameter before passing it to the command prevents potential command injection vulnerabilities.


469-470: Properly escape LOCAL file path in command execution

Escaping the $file->LOCAL parameter when running commands ensures that file paths containing special characters don't lead to command injection.


474-475: Properly escape temporary file path in command execution

Escaping the $name parameter for inline content prevents command injection when executing the generated script.

emhttp/plugins/dynamix/include/SysDevs.php (7)

24-28: Secure USB device identification by escaping bus and device values

The modification properly escapes USB bus and device numbers before using them in shell commands, preventing command injection vulnerabilities.


81-83: Enhance security for device path handling

Properly escaping the device name before using it in the udevadm command prevents potential command injection attacks.


101-103: Securely handle network interface names

Escaping network interface names before passing them to the readlink command prevents command injection through maliciously crafted interface names.


119-121: Secure IOMMU device path handling

Escaping the PCI device path before using it in the ls command prevents command injection vulnerabilities.


152-154: Securely process PCI device information

Properly escaping PCI addresses before passing them to lspci protects against command injection.


194-196: Enhance security for USB controller enumeration

Escaping the PCI address when searching for USB controllers prevents command injection vulnerabilities in the complex shell command.


215-217: Secure storage device enumeration

Escaping the PCI address when listing storage devices prevents command injection in the grep command.

emhttp/plugins/dynamix/include/OpenTerminal.php (8)

34-39: Strengthen security with dual protection for command execution scripts

This change applies two layers of security:

  1. Input sanitization with regex to limit characters to alphanumeric, dash, underscore, and dot
  2. Shell argument escaping for the final script path

This effectively prevents both path traversal and command injection vulnerabilities.


42-43: Secure file path handling in tail command

Properly escaping the file path before using it in the tail command prevents command injection vulnerabilities.


51-56: Enhance security for process handling

Escaping the process ID, socket path, and shell path when managing ttyd processes prevents command injection vulnerabilities.


62-63: Secure socket and command execution

Escaping the socket path when executing the ttyd command prevents command injection attacks.


68-71: Enhance security for disk log access

Properly escaping file paths, device names, and search patterns in the grep command prevents command injection vulnerabilities.


78-79: Secure log file access

Escaping the socket path and command output ensures safer terminal execution for log files.


86-95: Comprehensive security for Docker container interaction

All Docker-related commands now properly escape container names and command parameters, preventing command injection vulnerabilities when interacting with containers.


101-102: Secure LXC container access

Escaping the container name and command parameters when attaching to LXC containers prevents command injection vulnerabilities.

Comment thread emhttp/plugins/dynamix.plugin.manager/include/UnraidUpdateCancel.php Outdated
…el.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@elibosley elibosley closed this Jun 24, 2025
@elibosley elibosley deleted the fix/escape-shell-args-wireguard branch June 24, 2025 18:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant