Skip to content

Fix critical security issues: command injection, HTTP downloads, eval, arch swap#300

Open
devin-ai-integration[bot] wants to merge 1 commit into
masterfrom
devin/1782412107-security-fixes
Open

Fix critical security issues: command injection, HTTP downloads, eval, arch swap#300
devin-ai-integration[bot] wants to merge 1 commit into
masterfrom
devin/1782412107-security-fixes

Conversation

@devin-ai-integration

Copy link
Copy Markdown

Summary

Security audit fixing the most critical findings across 10 scriptmodules.

Command injection via unvalidated user input (dink.sh)

User-supplied DMOD name from dialog was passed unquoted into wget, tar, sudo mv, rm — allowing shell metacharacter injection. Fixed by:

  • Adding input validation: [[ ! "$search" =~ ^[a-zA-Z0-9_-]+$ ]]
  • Quoting all ${search} and ${folder} expansions throughout
  • Upgrading http://https:// for dinknetwork.com downloads

Arbitrary code execution via eval (borked3ds.sh)

eval $run executed whatever string was extracted from CSV menu data. Replaced with function-name validation:

if declare -f "$run" >/dev/null 2>&1; then
    "$run"
else
    printMsgs "dialog" "Unknown action: $run"
fi

HTTP → HTTPS for binary/source downloads (6 files)

Downloads over plain HTTP are vulnerable to MITM — an attacker on the network could substitute malicious binaries/tarballs/GPG keys:

  • openbor.sh: libGL.so.1 binaries from GitHub raw
  • kodi-extra.sh: Kodi APT repo list and GPG signing key
  • kweb.sh: kweb tarball
  • reminiscence.sh: REminiscence source tarball
  • piegalaxy.sh: innoextract archives

Piping remote scripts to bash (openra.sh, openra-vpi5.sh)

curl | bash executes whatever the server returns with no inspection. Changed to download-then-execute pattern so the script is a local file before execution.

Swapped architecture binaries (piegalaxy.sh)

isPlatform "x86" was downloading the .arm wyvern binary and vice versa. Fixed the suffix swap.

Predictable temp path for pip bootstrap (retroscraper.sh)

Replaced hardcoded /tmp/get-pip.py with mktemp --suffix=.py to prevent symlink/race attacks on the world-writable /tmp/ directory.

Link to Devin session: https://app.devin.ai/sessions/320bf558ab764f4e9656c4999dcebd9a
Requested by: @Exarkuniv

- dink.sh: Sanitize user input with allowlist regex, quote all variable
  expansions, upgrade HTTP to HTTPS for downloads
- openbor.sh: Upgrade HTTP to HTTPS for libGL binary downloads from GitHub
- kodi-extra.sh: Upgrade HTTP to HTTPS for Kodi APT repo and GPG key
- kweb.sh: Upgrade HTTP to HTTPS for tarball download
- reminiscence.sh: Upgrade HTTP to HTTPS for source tarball download
- piegalaxy.sh: Fix swapped architecture downloads (x86 was downloading
  ARM binary and vice versa), upgrade HTTP to HTTPS for innoextract
- borked3ds.sh: Replace eval $run with function-name validation to
  prevent arbitrary code execution from menu data
- openra.sh: Download dotnet-install.sh to file before executing instead
  of piping curl to bash
- openra-vpi5.sh: Same curl-pipe-to-bash fix as openra.sh
- retroscraper.sh: Use mktemp instead of predictable /tmp/ path for pip
  installer bootstrap

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@Exarkuniv Exarkuniv self-assigned this Jun 25, 2026
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant