Prevent adding hurtful commands

Signed-off-by: Joas Schilling <coding@schilljs.com>
author: Joas Schilling <coding@schilljs.com> 2020-04-20 10:20:52 +0300
committer: Joas Schilling <coding@schilljs.com> 2020-04-20 10:20:52 +0300
commit: d43f67ec2ecbe24ff0aa6f53e498c4965047bf98 (patch)
tree: 4bde14705f6bbeb0031c07c706ea9d6540577e34 /lib/Service/CommandService.php
parent: 296596ca32ec320ecee108311aa9c1d814991127 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/Service/CommandService.php b/lib/Service/CommandService.php
index 2f40b3f9c..b7d147cd8 100644
--- a/lib/Service/CommandService.php
+++ b/lib/Service/CommandService.php
@@ -142,6 +142,13 @@ class CommandService {
 					throw new \InvalidArgumentException('script', 3);
 				}
 			} else {
+				if (preg_match('/[`\'"]{(?:ARGUMENTS|ROOM|USER)}[`\'"]/i', $script)) {
+					throw new \InvalidArgumentException('script-parameters', 6);
+				}
+				if (strpos($script, '{ARGUMENTS_DOUBLEQUOTE_ESCAPED}') !== false) {
+					throw new \InvalidArgumentException('script-parameters', 6);
+				}
+
 				try {
 					$this->shellExecutor->execShell($script, '--help');
 				} catch (\InvalidArgumentException $e) {
author	Joas Schilling <coding@schilljs.com>	2020-04-20 10:20:52 +0300
committer	Joas Schilling <coding@schilljs.com>	2020-04-20 10:20:52 +0300
commit	d43f67ec2ecbe24ff0aa6f53e498c4965047bf98 (patch)
tree	4bde14705f6bbeb0031c07c706ea9d6540577e34 /lib/Service/CommandService.php
parent	296596ca32ec320ecee108311aa9c1d814991127 (diff)