From 6dd4e366dea2797abf91acd430f8d2169e1d08da Mon Sep 17 00:00:00 2001 From: Rootless-Ghost/RG-Nebula <139057350+Rootless-Ghost@users.noreply.github.com> Date: Sat, 25 Apr 2026 23:14:09 -0400 Subject: [PATCH] Potential fix for code scanning alert no. 13: Uncontrolled command line Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- app.py | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/app.py b/app.py index 2aa75fc..3e98005 100644 --- a/app.py +++ b/app.py @@ -11,9 +11,11 @@ import argparse import io +import ipaddress import json import logging import os +import re import sys import yaml @@ -28,6 +30,34 @@ format="%(asctime)s [%(levelname)s] %(message)s", datefmt="%H:%M:%S", ) + +_HOST_RE = re.compile( + r"^(?:" + r"[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?" + r"(?:\.(?:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?))*" + r"|(?:\d{1,3}\.){3}\d{1,3}" + r"|[0-9A-Fa-f:]{2,39}" + r")$" +) + + +def _is_valid_target_host(value: str) -> bool: + candidate = str(value or "").strip() + if not candidate: + return False + try: + ipaddress.ip_address(candidate) + return True + except ValueError: + if not _HOST_RE.match(candidate): + return False + labels = candidate.split(".") + return all( + 1 <= len(label) <= 63 + and label[0] != "-" + and label[-1] != "-" + for label in labels + ) logger = logging.getLogger("atomicloop") # ── Config ──────────────────────────────────────────────────────────────────── @@ -282,6 +312,11 @@ def execute_route(): "success": False, "error": "target_host is required when transport is 'winrm'", }), 400 + if not _is_valid_target_host(target_host): + return jsonify({ + "success": False, + "error": "Invalid target_host: must be a valid hostname, IPv4, or IPv6 literal.", + }), 400 result = execute_remote_winrm( command=command, executor_type=executor_type,