From 7d72092de62e5235327957ba34a3eea431e22c34 Mon Sep 17 00:00:00 2001
From: thapr0digy <lindomusic@gmail.com>
Date: Wed, 20 Aug 2025 00:04:02 -0400
Subject: [PATCH] Fix command injections by validating the agent id format

---
 web/check_mount.php | 19 ++++++++++++++++---
 web/download.php    |  7 ++++++-
 web/mount_agent.php | 11 ++++++++++-
 3 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/web/check_mount.php b/web/check_mount.php
index 4b9d3a2..8a054b0 100644
--- a/web/check_mount.php
+++ b/web/check_mount.php
@@ -11,16 +11,29 @@
 }
 
 $agent_id = $_GET['agent_id'];
+
+// This prevents command injection and directory traversal attacks.
+if (!preg_match('/^[a-zA-Z0-9_-]+$/', $agent_id)) {
+    http_response_code(400);
+    echo json_encode([
+        'success' => false,
+        'error' => 'Invalid agent_id format'
+    ]);
+}
+
+$agent_path = "/agents/$agent_id/";
 $mount_path = "/rtMount/$agent_id";
+$escaped_agent_path = escapeshellarg($agent_path);
+$escaped_mount_path = escapeshellarg($mount_path);
 
 // Check if the directory exists and has mounted volumes
 $output = [];
 $return_var = 0;
-exec("mount | grep '$mount_path' 2>&1", $output, $return_var);
+exec("mount | grep $escaped_mount_path 2>&1", $output, $return_var);
 
 // Also check for ZFS clones
 $clone_output = [];
-exec("zfs list -H -o name | grep 'mount_' | grep '/agents/$agent_id/' 2>&1", $clone_output, $return_var);
+exec("zfs list -H -o name | grep 'mount_' | grep $escaped_agent_path 2>&1", $clone_output, $return_var);
 // Filter clone output to only include mounted clones
 $mounted_clones = [];
 foreach ($clone_output as $clone) {
@@ -42,4 +55,4 @@
     'success' => true,
     'mounted' => count($output) > 0 || count($clone_output) > 0,
     'mount_path' => $mount_path
-]); 
\ No newline at end of file
+]); 
diff --git a/web/download.php b/web/download.php
index a62bf06..f6ffb57 100644
--- a/web/download.php
+++ b/web/download.php
@@ -7,6 +7,11 @@
     die("Missing required parameters");
 }
 
+// This prevents directory traversal attacks.
+if (!preg_match('/^[a-zA-Z0-9_-]+$/', $agent_id)) {
+    die("Invalid agent id");
+}
+
 // Construct full path
 $base_path = "/rtMount/$agent_id";
 $full_path = "$base_path/$path";
@@ -38,4 +43,4 @@
     echo fread($handle, 8192);
     flush();
 }
-fclose($handle); 
\ No newline at end of file
+fclose($handle); 
diff --git a/web/mount_agent.php b/web/mount_agent.php
index c69baa0..48af3ee 100644
--- a/web/mount_agent.php
+++ b/web/mount_agent.php
@@ -14,6 +14,15 @@
 $output = [];
 $return_var = 0;
 
+// This prevents command injection and directory traversal attacks.
+if (!preg_match('/^[a-zA-Z0-9_-]+$/', $agent_id)) {
+    http_response_code(400);
+    echo json_encode([
+        'success' => false,
+        'error' => 'Invalid agent_id format'
+    ]);
+}
+
 // First run cleanup for this specific agent to ensure no stale mounts
 exec("sudo /usr/local/openRT/openRTApp/rtFileMount.pl -cleanup='$agent_id' 2>&1", $output, $return_var);
 if ($return_var !== 0) {
@@ -51,4 +60,4 @@
     }
 
     echo json_encode($response);
-} 
\ No newline at end of file
+}