nevaforget/moonarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: shell script quoting and argument injection hardening

Browse Source 
Audit fixes for command injection risks in helper scripts:
- moonarch-cpugov: eval for quoted COMMANDS expansion (pkexec context)
- moonarch-btnote: while+read with process substitution, quoted vars
- moonarch-vpn: -- guard before connection name in nmcli calls
- post-install.sh: else-logging when USER_DEFAULTS dir missing
This commit is contained in:
nevaforget
2026-03-31 11:06:14 +02:00
parent 491a3cd3e2
commit 1e19f08776
5 changed files with 19 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
defaults/bin/moonarch-btnote
+5 -4
View File
@@ -5,15 +5,16 @@
NOTIFY_AT_PERCENTAGE=70
ICON="battery-empty"
for d in $(upower -e); do
while IFS= read -r d; do
[ -z "$d" ] && continue
DEVICE_DATA=$(upower -i "$d")
PERCENTAGE=$(echo $DEVICE_DATA | grep -Po '(?<=(percentage: )).*(?= icon)')
PERCENTAGE=$(echo "$DEVICE_DATA" | grep -Po '(?<=(percentage: )).*(?= icon)')
PER_INT=$(echo "${PERCENTAGE//%}")
DEVICE_NAME=$(echo $DEVICE_DATA | grep -Po '(?<=(model: )).*(?= serial)')
DEVICE_NAME=$(echo "$DEVICE_DATA" | grep -Po '(?<=(model: )).*(?= serial)')
if [ -n "$DEVICE_NAME" ] && [ -n "$PER_INT" ] && [ "$PER_INT" -lt "$NOTIFY_AT_PERCENTAGE" ]; then
notify-send -t 5000 -e "Low battery $DEVICE_NAME $PER_INT%" -i "$ICON" \
-h string:x-canonical-private-synchronous:battery \
-h int:value:"$PER_INT" -u critical
fi
done
done < <(upower -e)
defaults/bin/moonarch-cpugov
+3 -2
View File
@@ -60,8 +60,9 @@ fi
# check if choice exists
if test "${COMMANDS[$choice]+isset}"
then
# Execute the choice
${COMMANDS[$choice]}
# Execute the choice — eval required because COMMANDS values contain
# multi-word strings that must be interpreted as full commands.
eval "${COMMANDS[$choice]}"
notify-send -h string:x-canonical-private-synchronous:cpugov -i cpu "CPU Mode" "Set to $choice ${LABELS[$choice]}"
else
defaults/bin/moonarch-vpn
+2 -2
View File
@@ -41,7 +41,7 @@ function connect_vpn() {
local connection="$1"
local feedback
if feedback=$(nmcli connection up "$connection" 2>&1); then
if feedback=$(nmcli connection up -- "$connection" 2>&1); then
notify-send "VPN" "Connected to '$connection'"
else
notify-send -u critical "VPN" "Connection failed: $feedback"
@@ -53,7 +53,7 @@ function disconnect_vpn() {
local connection="$1"
local feedback
if feedback=$(nmcli connection down "$connection" 2>&1); then
if feedback=$(nmcli connection down -- "$connection" 2>&1); then
notify-send "VPN" "Disconnected from '$connection'"
else
notify-send -u critical "VPN" "Disconnect failed: $feedback"