From c83fa7eae2724d04e8dd373a1011dcc17ff35fe9 Mon Sep 17 00:00:00 2001 From: m8in Date: Wed, 20 May 2026 23:55:46 +0200 Subject: [PATCH] allow @ in parameters and sanitize all parameters using base.set --- core/addAndCheckGitRepository.sh | 16 ++++++++++------ core/addNormalUser.sh | 4 +++- core/addToCrontabEveryHour.sh | 15 +++++++-------- core/base.module.sh | 2 +- core/defineAuthorizedKeysOfUser.sh | 9 +++++++-- core/ensureUsageOfDefinitions.sh | 9 +++++++-- 6 files changed, 35 insertions(+), 20 deletions(-) diff --git a/core/addAndCheckGitRepository.sh b/core/addAndCheckGitRepository.sh index a002faa..206879f 100755 --- a/core/addAndCheckGitRepository.sh +++ b/core/addAndCheckGitRepository.sh @@ -1,11 +1,12 @@ #!/bin/bash +source /cis/core/base.module.sh #WARNING: Used for core functionality in setup.sh # DO NOT rename the script and test changes well! -function checkPermissions(){ +function checkPermissions() { local _FOLDER _RIGHTS _FOLDER="${1:?"Missing first parameter FOLDER"}" _RIGHTS="${2:?"Missing second parameter RIGHTS"}" @@ -27,7 +28,7 @@ function checkPermissions(){ return 1 } -function cloneOrPull { +function cloneOrPull() { local _FOLDER _REPOSITORY _FOLDER="${1:?"Missing first parameter FOLDER"}" _REPOSITORY="${2:?"Missing second parameter REPOSITORY"}" @@ -47,7 +48,7 @@ function cloneOrPull { return 1 } -function printRepository(){ +function printRepository() { local _FOLDER _CONFIGURED_REPOSITORY _SUGGESTED_REPOSITORY _FOLDER="${1:?"Missing first parameter FOLDER"}" _CONFIGURED_REPOSITORY="$(git -C "${_FOLDER:?"Missing FOLDER"}" config --get remote.origin.url 2> /dev/null)" @@ -98,10 +99,13 @@ function addAndCheckGitRepository() { } # sanitizes all parameters +base.set FOLDER "${1}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 +base.set RIGHTS "${2}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 +base.set SUGGESTED_REPOSITORY "${3}" '^([-a-zA-Z0-9/:@._]*)?$' || exit 1 addAndCheckGitRepository \ - "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ - "$(echo ${2} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ - "$(echo ${3} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ + "${FOLDER:?"Missing FOLDER"}" \ + "${RIGHTS:?"Missing RIGHTS"}" \ + "${SUGGESTED_REPOSITORY}" \ && exit 0 exit 1 diff --git a/core/addNormalUser.sh b/core/addNormalUser.sh index 7582033..e625cbf 100755 --- a/core/addNormalUser.sh +++ b/core/addNormalUser.sh @@ -1,4 +1,5 @@ #!/bin/bash +source /cis/core/base.module.sh #WARNING: Used for core functionality in setup.sh # DO NOT rename the script and test changes well! @@ -36,7 +37,8 @@ function addNormalUser() { } # sanitizes all parameters -addNormalUser "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ +base.set USER "${1}" '^[a-z][-a-z0-9_.]*$' || exit 1 +addNormalUser "${USER:?"Missing USER"}" \ && exit 0 exit 1 diff --git a/core/addToCrontabEveryHour.sh b/core/addToCrontabEveryHour.sh index e7e7218..567a2b2 100755 --- a/core/addToCrontabEveryHour.sh +++ b/core/addToCrontabEveryHour.sh @@ -1,14 +1,11 @@ #!/bin/bash +source /cis/core/base.module.sh #WARNING: Used for core functionality in setup.sh # DO NOT rename the script and test changes well! -# Folders always ends with an tailing '/' -_SCRIPT="$(readlink -f "${0}" 2> /dev/null)" -_CIS_ROOT="${_SCRIPT%%/core/*}/" #Removes longest matching pattern '/core/*' from the end - # Note that an unprivileged user can use this script successfully, # if no user has to be added to the host because it already exists. function addToCrontabEveryHour() { @@ -24,11 +21,11 @@ function addToCrontabEveryHour() { && return 0 [ "$(id -u)" == "0" ] \ - && echo "${_CIS_ROOT:?"Missing CIS_ROOT"}" | grep -F 'home' &> /dev/null \ + && echo "${CIS[ROOT]:?"Missing CIS_ROOT"}" | grep -F 'home' &> /dev/null \ && echo "SUCCESS: Although the entry will be skipped: ("$(readlink -f ${0})")" \ && echo " - '${_STRING}'" \ && echo " that is because the current environment is:" \ - && echo " - ${_CIS_ROOT}" \ + && echo " - ${CIS[ROOT]}" \ && return 0 [ "$(id -u)" == "0" ] \ @@ -47,9 +44,11 @@ function addToCrontabEveryHour() { } # sanitizes all parameters +base.set COMMAND "${1}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 +base.set MINUTE_VALUE "${2}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 addToCrontabEveryHour \ - "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ - "$(echo ${2} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ + "${COMMAND:?"Missing COMMAND"}" \ + "${MINUTE_VALUE:?"Missing MINUTE_VALUE"}" \ && exit 0 exit 1 diff --git a/core/base.module.sh b/core/base.module.sh index 0db72db..a7883f8 100755 --- a/core/base.module.sh +++ b/core/base.module.sh @@ -14,7 +14,7 @@ function base.checkAllInputParameters() { local _ALLOWED_CHARS _ARG _SUCCESS # Global whitelist for all start-parameters ($1, $2, ...) - _ALLOWED_CHARS='-[:alnum:]/_.:' + _ALLOWED_CHARS='-[:alnum:]@/_.:' readonly _ALLOWED_CHARS _SUCCESS="true" diff --git a/core/defineAuthorizedKeysOfUser.sh b/core/defineAuthorizedKeysOfUser.sh index b1ce02e..d9e4582 100755 --- a/core/defineAuthorizedKeysOfUser.sh +++ b/core/defineAuthorizedKeysOfUser.sh @@ -1,8 +1,11 @@ #!/bin/bash +source /cis/core/base.module.sh #WARNING: Used for core functionality in setup.sh # DO NOT rename the script and test changes well! + + function prepareFolder() { local _HOME_FOLDER _SSH_FOLDER _USER _SSH_FOLDER="${1:?"prepareFolder(): Missing parameter SSH_PATH"}" @@ -133,9 +136,11 @@ function defineAuthorizedKeysOfUser() { } # sanitizes all parameters +base.set DEFINITIONS "${1}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 +base.set USER "${2}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 defineAuthorizedKeysOfUser \ - "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ - "$(echo ${2} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ + "${DEFINITIONS:?"Missing DEFINITIONS"}" \ + "${USER:?"Missing USER"}" \ && exit 0 exit 1 diff --git a/core/ensureUsageOfDefinitions.sh b/core/ensureUsageOfDefinitions.sh index 8be950b..2d7e512 100755 --- a/core/ensureUsageOfDefinitions.sh +++ b/core/ensureUsageOfDefinitions.sh @@ -1,8 +1,11 @@ #!/bin/bash +source /cis/core/base.module.sh #WARNING: Used for core functionality in setup.sh # DO NOT rename the script and test changes well! + + function printIfEqual() { [ "${1:?"Missing first parameter"}" == "${2}" ] \ && echo "${1}" \ @@ -215,9 +218,11 @@ function ensureUsageOfDefinitions() { } # sanitizes all parameters +base.set DEFINITIONS "${1}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 +base.set CURRENT_FULLFILE "${2}" '^[-a-zA-Z0-9/:@._]*$' || exit 1 ensureUsageOfDefinitions \ - "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ - "$(echo ${2} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \ + "${DEFINITIONS:?"Missing DEFINITIONS"}" \ + "${CURRENT_FULLFILE:?"Missing CURRENT_FULLFILE"}" \ && exit 0 exit 1