From fa99c32f6cce928d30870da0d8b6e5ee00a29060 Mon Sep 17 00:00:00 2001 From: Jacob Magar Date: Sun, 15 Feb 2026 23:03:13 -0500 Subject: [PATCH] fix: harden read-logs.sh against GraphQL injection and path traversal - Remove slashes from LOG_NAME regex to block path traversal (e.g. ../../etc/passwd). Only alphanumeric, dots, hyphens, underscores allowed. - Cap LINES to 1-10000 range to prevent resource exhaustion. - Add query script existence check before execution. - Add query failure, empty response, and invalid JSON guards. Resolves review thread PRRT_kwDOO6Hdxs5uvKrj --- skills/unraid/examples/read-logs.sh | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/skills/unraid/examples/read-logs.sh b/skills/unraid/examples/read-logs.sh index 8193839..c4525ad 100755 --- a/skills/unraid/examples/read-logs.sh +++ b/skills/unraid/examples/read-logs.sh @@ -5,16 +5,22 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" QUERY_SCRIPT="$SCRIPT_DIR/../scripts/unraid-query.sh" +if [[ ! -x "$QUERY_SCRIPT" ]]; then + echo "Error: Query script not found or not executable: $QUERY_SCRIPT" >&2 + exit 1 +fi + LOG_NAME="${1:-syslog}" LINES="${2:-20}" -# Validate inputs to prevent GraphQL injection -if ! [[ "$LOG_NAME" =~ ^[a-zA-Z0-9_./-]+$ ]]; then - echo "Error: Invalid log name. Only alphanumeric characters, dots, slashes, hyphens, and underscores are allowed." >&2 +# Validate inputs to prevent GraphQL injection and path traversal +# Only allow simple log names: alphanumeric, dots, hyphens, underscores (no slashes/path traversal) +if ! [[ "$LOG_NAME" =~ ^[a-zA-Z0-9_.-]+$ ]]; then + echo "Error: Invalid log name. Only alphanumeric characters, dots, hyphens, and underscores are allowed." >&2 exit 1 fi -if ! [[ "$LINES" =~ ^[0-9]+$ ]]; then - echo "Error: Lines must be a positive integer." >&2 +if ! [[ "$LINES" =~ ^[0-9]+$ ]] || [[ "$LINES" -eq 0 ]] || [[ "$LINES" -gt 10000 ]]; then + echo "Error: Lines must be an integer between 1 and 10000." >&2 exit 1 fi @@ -23,7 +29,15 @@ echo "" QUERY="{ logFile(path: \"$LOG_NAME\", lines: $LINES) { path totalLines startLine content } }" -RESPONSE=$("$QUERY_SCRIPT" -q "$QUERY" -f raw) +RESPONSE=$("$QUERY_SCRIPT" -q "$QUERY" -f raw) || { + echo "Error: Query failed." >&2 + exit 1 +} + +if [[ -z "$RESPONSE" ]] || ! echo "$RESPONSE" | jq -e . > /dev/null 2>&1; then + echo "Error: Invalid or empty response from query." >&2 + exit 1 +fi echo "$RESPONSE" | jq -r '.logFile.content'