-
-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: sanitize_input
does not work as expected
#324
Comments
Looking at configng/tools/modules/functions/config_interface.sh Lines 480 to 491 in 0a257fd
My guess is that the intended behavior was to terminate program execution and print out an error message. However, in most cases Line 94 in 0a257fd
or Line 106 in 0a257fd
This will terminate the sub-shell with exit code 1, but unless checked in the super-shell, will continue normal execution, which is what's happening here. |
Suggestions to resolve the bug:
|
And, obviously, |
@dimitry-ishenko Sanitise input contribution was aimed primarily at removing escape sequences. This has been a place for expanding and learning: If a may ask :) Are you saying that while the implementation is flawed (BUG), the concept is not, and For later implementation and though. |
It's hard to tell without knowing the original intent, but I would say it should be removed... I am not a security specialist, but I don't see what problem it's trying to solve... Is there a case of using an escape sequence to compromise the system? Or, if there is a valid need for it, then maybe it can be modified to use a blacklist to detect escape char in the input instead. |
The intent was precaution more than anything for when armbian-config was not strictly an admin tool as it is now. |
Maybe it should be removed for now, and if the need arises later, it can be resurrected. Just my 2 cents. |
What happened?
While testing PR #320 I would get the following error:
admin@armbian:~/configng$ bin/armbian-config --api pkg_install vim-airline Reading package lists... Done Building dependency tree... Done Reading state information... Done E: Unable to locate package Invalid argument: vim-airline
Upon further testing, any package containing dash (
-
) in the name would produce similar error.It turns out the error is generated by the
sanitize_input
function which does not allow dashes. However, the pipeline doesn't seem to work as expected, since instead of just reporting the error "Invalid argument: vim-airline," this output is passed further down the pipeline.In the end the
pkg_install
function tries to install a package calledInvalid argument: vim-airline
, which results in a confusing error.How to reproduce?
See above.
On which host OS are you running the build script and observing this problem?
Ubuntu 24.04 Noble
Code of Conduct
The text was updated successfully, but these errors were encountered: