From 73c4a343e15b4772eb179015e14dbf109d2439df Mon Sep 17 00:00:00 2001 From: mdevolde Date: Sun, 5 Apr 2026 23:46:01 +0200 Subject: [PATCH] luci-app-lxc: add user input checks Checks the user inputs for the lxc_create endpoint. Pases these inputs through two regular expressions. Applies shell quoting to these user inputs. Signed-off-by: mdevolde --- .../luci-app-lxc/ucode/controller/lxc.uc | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/applications/luci-app-lxc/ucode/controller/lxc.uc b/applications/luci-app-lxc/ucode/controller/lxc.uc index 879ee42b85..28d7748efa 100644 --- a/applications/luci-app-lxc/ucode/controller/lxc.uc +++ b/applications/luci-app-lxc/ucode/controller/lxc.uc @@ -10,6 +10,21 @@ import { connect } from 'ubus'; const ctx = cursor(); const LXC_URL = ctx.get('lxc', 'lxc', 'url'); +function shellquote(value) { + if (value == null) + value = ''; + + return "'" + replace(value, "'", "'\\''") + "'"; +} + +function is_valid_lxc_name(value) { + return type(value) == 'string' && match(value, /^[A-Za-z0-9._-]{1,64}$/) != null; +} + +function is_valid_lxc_template(value) { + return type(value) == 'string' && match(value, /^.+:.+$/) != null; +} + function statfs(path) { let p = fs.popen('df -kP ' + path); p.read('line'); // header @@ -53,12 +68,19 @@ const LXCController = { lxc_create: function(lxc_name, lxc_template) { http.prepare_content('text/plain'); + if (!is_valid_lxc_name(lxc_name)) { + return; + } + if (!is_valid_lxc_template(lxc_template)) { + return; + } + let path = this.lxc_get_config_path(); if (!path) return; let arr = match(lxc_template, /^(.+):(.+)$/); let lxc_dist = arr[1], lxc_release = arr[2]; - system(`/usr/bin/lxc-create --quiet --name ${lxc_name} --bdev best --template download -- --dist ${lxc_dist} --release ${lxc_release} --arch ${this.lxc_get_arch_target(LXC_URL)} --server ${LXC_URL}`); + system(`/usr/bin/lxc-create --quiet --name ${shellquote(lxc_name)} --bdev best --template download -- --dist ${shellquote(lxc_dist)} --release ${shellquote(lxc_release)} --arch ${this.lxc_get_arch_target(LXC_URL)} --server ${LXC_URL}`); while (fs.access(path + lxc_name + '/partial')) { sleep(1000);