Skip to content

fix: Escape shell arguments for safety #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dunaj-dev merged 2 commits into from
Oct 12, 2025
Merged

fix: Escape shell arguments for safety #10

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1e2376f
fix: Escape shell arguments for safety
mrsafalpiya Oct 11, 2025
12e12f5
refactor: Template literal string concat in `escapeShellArg` function
mrsafalpiya Oct 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 25 additions & 5 deletions backend/dockerMailserver.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,18 @@ function debugLog(message, data = null) {
}
}

/**
* Escapes a string for safe use in shell commands by wrapping it in single quotes
* and escaping any single quotes within the string
* @param {string} arg - Argument to escape
* @return {string} Escaped argument safe for shell execution
*/
function escapeShellArg(arg) {
// Replace single quotes with '\'' (end quote, escaped quote, start quote)
// Then wrap the entire string in single quotes
return `'${arg.replace(/'/g, "'\\''")}'`;
}

/**
* Executes a command in the docker-mailserver container
* @param {string} command Command to execute
Expand Down Expand Up @@ -143,7 +155,9 @@ async function getAccounts() {
async function addAccount(email, password) {
try {
debugLog(`Adding new email account: ${email}`);
await execSetup(`email add ${email} ${password}`);
await execSetup(
`email add ${escapeShellArg(email)} ${escapeShellArg(password)}`
);
debugLog(`Account created: ${email}`);
return { success: true, email };
} catch (error) {
Expand All @@ -157,7 +171,9 @@ async function addAccount(email, password) {
async function updateAccountPassword(email, password) {
try {
debugLog(`Updating password for account: ${email}`);
await execSetup(`email update ${email} ${password}`);
await execSetup(
`email update ${escapeShellArg(email)} ${escapeShellArg(password)}`
);
debugLog(`Password updated for account: ${email}`);
return { success: true, email };
} catch (error) {
Expand All @@ -171,7 +187,7 @@ async function updateAccountPassword(email, password) {
async function deleteAccount(email) {
try {
debugLog(`Deleting email account: ${email}`);
await execSetup(`email del ${email}`);
await execSetup(`email del ${escapeShellArg(email)}`);
debugLog(`Account deleted: ${email}`);
return { success: true, email };
} catch (error) {
Expand Down Expand Up @@ -229,7 +245,9 @@ async function getAliases() {
async function addAlias(source, destination) {
try {
debugLog(`Adding new alias: ${source} -> ${destination}`);
await execSetup(`alias add ${source} ${destination}`);
await execSetup(
`alias add ${escapeShellArg(source)} ${escapeShellArg(destination)}`
);
debugLog(`Alias created: ${source} -> ${destination}`);
return { success: true, source, destination };
} catch (error) {
Expand All @@ -243,7 +261,9 @@ async function addAlias(source, destination) {
async function deleteAlias(source, destination) {
try {
debugLog(`Deleting alias: ${source} => ${destination}`);
await execSetup(`alias del ${source} ${destination}`);
await execSetup(
`alias del ${escapeShellArg(source)} ${escapeShellArg(destination)}`
);
debugLog(`Alias deleted: ${source} => ${destination}`);
return { success: true, source, destination };
} catch (error) {
Expand Down