Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 09 Jun 2026 16:04:32 +0000
From:      Baptiste Daroussin <bapt@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 13fb6dbc738f - main - nuageinit: validate set-name to prevent shell injection in variable names
Message-ID:  <6a283990.22fa1.77541917@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by bapt:

URL: https://cgit.FreeBSD.org/src/commit/?id=13fb6dbc738f4ba30e78a8fb21efa1382c520d33

commit 13fb6dbc738f4ba30e78a8fb21efa1382c520d33
Author:     Baptiste Daroussin <bapt@FreeBSD.org>
AuthorDate: 2026-06-09 14:24:56 +0000
Commit:     Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2026-06-09 16:04:25 +0000

    nuageinit: validate set-name to prevent shell injection in variable names
    
    Shell variable names cannot be safely quoted with shell_escape() —
    only alphanumeric characters are valid. Add validation that set-name
    only matches [a-zA-Z0-9]+; invalid values are rejected with a
    warning and the rename is skipped entirely.
---
 libexec/nuageinit/nuageinit | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit
index 8ca1a2c558c8..ba26f504effb 100755
--- a/libexec/nuageinit/nuageinit
+++ b/libexec/nuageinit/nuageinit
@@ -429,8 +429,12 @@ local function network_config(obj)
 				local ifaces = get_ifaces_by_mac()
 				local matched = ifaces[v.match.macaddress]
 				if matched and matched == interface then
-					network:write("ifconfig_" .. interface .. "_name=" .. nuage.shell_escape(v["set-name"]) .. "\n")
-					interface = v["set-name"]
+					if not v["set-name"]:match("^[a-zA-Z0-9]+$") then
+						nuage.warn("set-name contains invalid characters, ignoring: " .. v["set-name"])
+					else
+						network:write("ifconfig_" .. interface .. "_name=" .. nuage.shell_escape(v["set-name"]) .. "\n")
+						interface = v["set-name"]
+					end
 				end
 			end
 			if v.dhcp4 then
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a283990.22fa1.77541917>