Background
Both cuda-install.sh and nvidia-install.sh use eval "$action" to execute rollback commands read from $ROLLBACK_FILE. While the file is only written by the scripts themselves via save_rollback_info() and the state directory is root-owned, eval on file contents is inherently risky.
Current behavior
while read -r action; do
if ! eval "$action"; then
...
fi
done < <(tac "$ROLLBACK_FILE")Proposed improvement
- Immediate: Set
chmod 600 on $ROLLBACK_FILE after creation
- Future: Replace
eval with a whitelist-based command dispatcher that validates each line against known safe patterns (e.g., rm -f, dpkg -r, dnf remove -y, zypper removerepo, systemctl start, etc.)
Files affected
src/cuda-install.sh (rollback_installation + save_rollback_info)src/nvidia-install.sh (rollback_installation + save_rollback_info)
Raised by CodeRabbit review on PR #2.
Background
Both
cuda-install.shandnvidia-install.shuseeval "$action"to execute rollback commands read from$ROLLBACK_FILE. While the file is only written by the scripts themselves viasave_rollback_info()and the state directory is root-owned,evalon file contents is inherently risky.Current behavior
Proposed improvement
chmod 600on$ROLLBACK_FILEafter creationevalwith a whitelist-based command dispatcher that validates each line against known safe patterns (e.g.,rm -f,dpkg -r,dnf remove -y,zypper removerepo,systemctl start, etc.)Files affected
src/cuda-install.sh(rollback_installation+save_rollback_info)src/nvidia-install.sh(rollback_installation+save_rollback_info)Raised by CodeRabbit review on PR #2.