Artifacts/unraid-mcp
2
0
Fork 0
forked from HomeLab/unraid-mcp
Code Pull Requests Actions Packages Releases 5 Activity

fix: harden read-logs.sh against GraphQL injection and path traversal

Browse Source 
- Remove slashes from LOG_NAME regex to block path traversal (e.g.
  ../../etc/passwd). Only alphanumeric, dots, hyphens, underscores allowed.
- Cap LINES to 1-10000 range to prevent resource exhaustion.
- Add query script existence check before execution.
- Add query failure, empty response, and invalid JSON guards.

Resolves review thread PRRT_kwDOO6Hdxs5uvKrj
This commit is contained in:
Jacob Magar
2026-02-15 23:03:13 -05:00
parent 91244b66ff
commit fa99c32f6c
1 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
skills/unraid/examples/read-logs.sh
View File

@@ -5,16 +5,22 @@
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
QUERY_SCRIPT="$SCRIPT_DIR/../scripts/unraid-query.sh" QUERY_SCRIPT="$SCRIPT_DIR/../scripts/unraid-query.sh"
if [[ ! -x "$QUERY_SCRIPT" ]]; then
echo "Error: Query script not found or not executable: $QUERY_SCRIPT" >&2
exit 1
fi
LOG_NAME="${1:-syslog}" LOG_NAME="${1:-syslog}"
LINES="${2:-20}" LINES="${2:-20}"
# Validate inputs to prevent GraphQL injection # Validate inputs to prevent GraphQL injection and path traversal
if ! [[ "$LOG_NAME" =~ ^[a-zA-Z0-9_./-]+$ ]]; then # Only allow simple log names: alphanumeric, dots, hyphens, underscores (no slashes/path traversal)
echo "Error: Invalid log name. Only alphanumeric characters, dots, slashes, hyphens, and underscores are allowed." >&2 if ! [[ "$LOG_NAME" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
echo "Error: Invalid log name. Only alphanumeric characters, dots, hyphens, and underscores are allowed." >&2
exit 1 exit 1
fi fi
if ! [[ "$LINES" =~ ^[0-9]+$ ]]; then if ! [[ "$LINES" =~ ^[0-9]+$ ]] || [[ "$LINES" -eq 0 ]] || [[ "$LINES" -gt 10000 ]]; then
echo "Error: Lines must be a positive integer." >&2 echo "Error: Lines must be an integer between 1 and 10000." >&2
exit 1 exit 1
fi fi
@@ -23,7 +29,15 @@ echo ""
QUERY="{ logFile(path: \"$LOG_NAME\", lines: $LINES) { path totalLines startLine content } }" QUERY="{ logFile(path: \"$LOG_NAME\", lines: $LINES) { path totalLines startLine content } }"
RESPONSE=$("$QUERY_SCRIPT" -q "$QUERY" -f raw) RESPONSE=$("$QUERY_SCRIPT" -q "$QUERY" -f raw) || {
echo "Error: Query failed." >&2
exit 1
}
if [[ -z "$RESPONSE" ]] || ! echo "$RESPONSE" | jq -e . > /dev/null 2>&1; then
echo "Error: Invalid or empty response from query." >&2
exit 1
fi
echo "$RESPONSE" | jq -r '.logFile.content' echo "$RESPONSE" | jq -r '.logFile.content'