From 8eabdd17ba9bb6890190971b1f91a9a90a9b9fdb Mon Sep 17 00:00:00 2001 From: Sander Declerck Date: Fri, 13 Mar 2026 14:19:25 +0100 Subject: [PATCH] Verify token format --- install-scripts/install-endpoint-mac.sh | 7 +++++++ install-scripts/install-endpoint-windows.ps1 | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/install-scripts/install-endpoint-mac.sh b/install-scripts/install-endpoint-mac.sh index 8a0424d..684a8a8 100644 --- a/install-scripts/install-endpoint-mac.sh +++ b/install-scripts/install-endpoint-mac.sh @@ -103,6 +103,13 @@ main() { error "Token is required. Pass it with --token or enter it when prompted." fi + # Validate token to prevent injection + case "$TOKEN" in + *[\"\'\;\`\$\ ]*) + error "Invalid token format. Token must not contain quotes, semicolons, backticks, dollar signs, or whitespace." + ;; + esac + # 2. Download and verify checksum PKG_FILE=$(mktemp /tmp/SafeChainUltimate.XXXXXX.pkg) trap cleanup EXIT diff --git a/install-scripts/install-endpoint-windows.ps1 b/install-scripts/install-endpoint-windows.ps1 index 5c6eb3e..f99d1ff 100644 --- a/install-scripts/install-endpoint-windows.ps1 +++ b/install-scripts/install-endpoint-windows.ps1 @@ -47,6 +47,11 @@ function Install-Endpoint { } } + # Validate token to prevent command/property injection via msiexec + if ($token -match '[";`$\s]') { + Write-Error-Custom "Invalid token format. Token must not contain quotes, semicolons, backticks, dollar signs, or whitespace." + } + # 2. Download the .msi $msiFile = Join-Path $env:TEMP "SafeChainUltimate-$([System.Guid]::NewGuid().ToString('N')).msi"