From df8be031cb92ab175443b04846ba9cd3e7934ac7 Mon Sep 17 00:00:00 2001 From: Reinier Criel Date: Fri, 10 Apr 2026 15:38:51 -0700 Subject: [PATCH] Validate ENV VAR --- install-scripts/install-safe-chain.ps1 | 26 +++++++++++++----------- install-scripts/install-safe-chain.sh | 24 ++++++++++++---------- install-scripts/uninstall-safe-chain.ps1 | 26 +++++++++++++----------- install-scripts/uninstall-safe-chain.sh | 25 +++++++++++++---------- 4 files changed, 55 insertions(+), 46 deletions(-) diff --git a/install-scripts/install-safe-chain.ps1 b/install-scripts/install-safe-chain.ps1 index 2635528..4e77df4 100644 --- a/install-scripts/install-safe-chain.ps1 +++ b/install-scripts/install-safe-chain.ps1 @@ -8,19 +8,21 @@ param( ) $Version = $env:SAFE_CHAIN_VERSION # Will be fetched from latest release if not set + +# Validate SAFE_CHAIN_DIR before use +if ($env:SAFE_CHAIN_DIR) { + if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) { + Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)" -ForegroundColor Red; exit 1 + } + if ($env:SAFE_CHAIN_DIR -match '\.\.') { + Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1 + } + if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') { + Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1 + } +} + $SafeChainBase = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $env:USERPROFILE ".safe-chain" } - -# Validate $SafeChainBase before any filesystem operations -if (-not [System.IO.Path]::IsPathRooted($SafeChainBase)) { - Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $SafeChainBase" -ForegroundColor Red; exit 1 -} -if ($SafeChainBase -match '\.\.') { - Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1 -} -if ($SafeChainBase -match '^[A-Za-z]:[/\\]?$' -or $SafeChainBase -eq '/') { - Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1 -} - $InstallDir = Join-Path $SafeChainBase "bin" $RepoUrl = "https://github.com/AikidoSec/safe-chain" diff --git a/install-scripts/install-safe-chain.sh b/install-scripts/install-safe-chain.sh index e371183..03923d8 100755 --- a/install-scripts/install-safe-chain.sh +++ b/install-scripts/install-safe-chain.sh @@ -8,20 +8,22 @@ set -e # Exit on error # Configuration VERSION="${SAFE_CHAIN_VERSION:-}" # Will be fetched from latest release if not set -SAFE_CHAIN_BASE="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}" -# Validate SAFE_CHAIN_BASE before any filesystem operations -case "${SAFE_CHAIN_BASE}" in - /*) ;; - *) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${SAFE_CHAIN_BASE}" >&2; exit 1 ;; -esac -case "${SAFE_CHAIN_BASE}" in - *../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;; -esac -if [ "${SAFE_CHAIN_BASE}" = "/" ]; then - printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1 +# Validate SAFE_CHAIN_DIR before use +if [ -n "${SAFE_CHAIN_DIR}" ]; then + case "${SAFE_CHAIN_DIR}" in + /*) ;; + *) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${SAFE_CHAIN_DIR}" >&2; exit 1 ;; + esac + case "${SAFE_CHAIN_DIR}" in + *../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;; + esac + if [ "${SAFE_CHAIN_DIR}" = "/" ]; then + printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1 + fi fi +SAFE_CHAIN_BASE="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}" INSTALL_DIR="${SAFE_CHAIN_BASE}/bin" REPO_URL="https://github.com/AikidoSec/safe-chain" diff --git a/install-scripts/uninstall-safe-chain.ps1 b/install-scripts/uninstall-safe-chain.ps1 index f342377..785e58a 100644 --- a/install-scripts/uninstall-safe-chain.ps1 +++ b/install-scripts/uninstall-safe-chain.ps1 @@ -4,19 +4,21 @@ # Use HOME on Unix, USERPROFILE on Windows (PowerShell Core is cross-platform) $HomeDir = if ($env:HOME) { $env:HOME } else { $env:USERPROFILE } + +# Validate SAFE_CHAIN_DIR before use +if ($env:SAFE_CHAIN_DIR) { + if (-not [System.IO.Path]::IsPathRooted($env:SAFE_CHAIN_DIR)) { + Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $($env:SAFE_CHAIN_DIR)" -ForegroundColor Red; exit 1 + } + if ($env:SAFE_CHAIN_DIR -match '\.\.') { + Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1 + } + if ($env:SAFE_CHAIN_DIR -match '^[A-Za-z]:[/\\]?$' -or $env:SAFE_CHAIN_DIR -eq '/') { + Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1 + } +} + $DotSafeChain = if ($env:SAFE_CHAIN_DIR) { $env:SAFE_CHAIN_DIR } else { Join-Path $HomeDir ".safe-chain" } - -# Validate $DotSafeChain before any filesystem operations -if (-not [System.IO.Path]::IsPathRooted($DotSafeChain)) { - Write-Host "[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: $DotSafeChain" -ForegroundColor Red; exit 1 -} -if ($DotSafeChain -match '\.\.') { - Write-Host "[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)" -ForegroundColor Red; exit 1 -} -if ($DotSafeChain -match '^[A-Za-z]:[/\\]?$' -or $DotSafeChain -eq '/') { - Write-Host "[ERROR] SAFE_CHAIN_DIR cannot be a root or drive-root directory" -ForegroundColor Red; exit 1 -} - $InstallDir = Join-Path $DotSafeChain "bin" # Helper functions diff --git a/install-scripts/uninstall-safe-chain.sh b/install-scripts/uninstall-safe-chain.sh index 1cd8f9b..abde7ca 100755 --- a/install-scripts/uninstall-safe-chain.sh +++ b/install-scripts/uninstall-safe-chain.sh @@ -7,20 +7,23 @@ set -e # Exit on error # Configuration -DOT_SAFE_CHAIN="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}" -# Validate DOT_SAFE_CHAIN before any filesystem operations -case "${DOT_SAFE_CHAIN}" in - /*) ;; - *) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${DOT_SAFE_CHAIN}" >&2; exit 1 ;; -esac -case "${DOT_SAFE_CHAIN}" in - *../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;; -esac -if [ "${DOT_SAFE_CHAIN}" = "/" ]; then - printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1 +# Validate SAFE_CHAIN_DIR before use +if [ -n "${SAFE_CHAIN_DIR}" ]; then + case "${SAFE_CHAIN_DIR}" in + /*) ;; + *) printf '[ERROR] SAFE_CHAIN_DIR must be an absolute path, got: %s\n' "${SAFE_CHAIN_DIR}" >&2; exit 1 ;; + esac + case "${SAFE_CHAIN_DIR}" in + *../*|*/..*|..) printf '[ERROR] SAFE_CHAIN_DIR must not contain path traversal (..)\n' >&2; exit 1 ;; + esac + if [ "${SAFE_CHAIN_DIR}" = "/" ]; then + printf '[ERROR] SAFE_CHAIN_DIR cannot be the root directory\n' >&2; exit 1 + fi fi +DOT_SAFE_CHAIN="${SAFE_CHAIN_DIR:-${HOME}/.safe-chain}" + # Colors for output RED='\033[0;31m' GREEN='\033[0;32m'