Fix critical security issues: command injection, HTTP downloads, eval, arch swap#300
Open
devin-ai-integration[bot] wants to merge 1 commit into
Open
Fix critical security issues: command injection, HTTP downloads, eval, arch swap#300devin-ai-integration[bot] wants to merge 1 commit into
devin-ai-integration[bot] wants to merge 1 commit into
Conversation
- dink.sh: Sanitize user input with allowlist regex, quote all variable expansions, upgrade HTTP to HTTPS for downloads - openbor.sh: Upgrade HTTP to HTTPS for libGL binary downloads from GitHub - kodi-extra.sh: Upgrade HTTP to HTTPS for Kodi APT repo and GPG key - kweb.sh: Upgrade HTTP to HTTPS for tarball download - reminiscence.sh: Upgrade HTTP to HTTPS for source tarball download - piegalaxy.sh: Fix swapped architecture downloads (x86 was downloading ARM binary and vice versa), upgrade HTTP to HTTPS for innoextract - borked3ds.sh: Replace eval $run with function-name validation to prevent arbitrary code execution from menu data - openra.sh: Download dotnet-install.sh to file before executing instead of piping curl to bash - openra-vpi5.sh: Same curl-pipe-to-bash fix as openra.sh - retroscraper.sh: Use mktemp instead of predictable /tmp/ path for pip installer bootstrap Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security audit fixing the most critical findings across 10 scriptmodules.
Command injection via unvalidated user input (
dink.sh)User-supplied DMOD name from dialog was passed unquoted into
wget,tar,sudo mv,rm— allowing shell metacharacter injection. Fixed by:[[ ! "$search" =~ ^[a-zA-Z0-9_-]+$ ]]${search}and${folder}expansions throughouthttp://→https://for dinknetwork.com downloadsArbitrary code execution via
eval(borked3ds.sh)eval $runexecuted whatever string was extracted from CSV menu data. Replaced with function-name validation:HTTP → HTTPS for binary/source downloads (6 files)
Downloads over plain HTTP are vulnerable to MITM — an attacker on the network could substitute malicious binaries/tarballs/GPG keys:
openbor.sh:libGL.so.1binaries from GitHub rawkodi-extra.sh: Kodi APT repo list and GPG signing keykweb.sh: kweb tarballreminiscence.sh: REminiscence source tarballpiegalaxy.sh: innoextract archivesPiping remote scripts to bash (
openra.sh,openra-vpi5.sh)curl | bashexecutes whatever the server returns with no inspection. Changed to download-then-execute pattern so the script is a local file before execution.Swapped architecture binaries (
piegalaxy.sh)isPlatform "x86"was downloading the.armwyvern binary and vice versa. Fixed the suffix swap.Predictable temp path for pip bootstrap (
retroscraper.sh)Replaced hardcoded
/tmp/get-pip.pywithmktemp --suffix=.pyto prevent symlink/race attacks on the world-writable/tmp/directory.Link to Devin session: https://app.devin.ai/sessions/320bf558ab764f4e9656c4999dcebd9a
Requested by: @Exarkuniv