Fix #287 - Verify the version syntax in *.sh to avoid command injection

williamdes · williamdes · commit 272944cc5a10 · 2023-08-03T16:14:42.000+02:00
diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh
@@ -63,7 +63,7 @@ join() {
 	echo "${out#$sep}"
 }
 
-latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' | jq -r '.version')"
+latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' | jq -r '.version' | grep -E '^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$')"
 
 for variant in apache fpm fpm-alpine; do
 	commit="$(dirCommit "$variant")"
diff --git a/update.sh b/update.sh
@@ -88,7 +88,7 @@ command -v jq >/dev/null 2>&1 || { echo >&2 "'jq' is required but not found. Abo
 # Create variants
 printf '%s\n' "{}" > versions.json
 
-latest="$(curl -fsSL "https://www.phpmyadmin.net/home_page/version.json" | jq -r '.version')"
+latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' | jq -r '.version' | grep -E '^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$')"
 sha256="$(curl -fsSL "$(download_url "$latest").sha256" | cut -f1 -d ' ' | tr -cd 'a-f0-9' | cut -c 1-64)"
 
 for variant in "${variants[@]}"; do

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ join() {`
`63`	`63`	`echo "${out#$sep}"`
`64`	`64`	`}`
`65`	`65`
`66`		`-latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' \| jq -r '.version')"`
	`66`	`+latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' \| jq -r '.version' \| grep -E '^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$')"`
`67`	`67`
`68`	`68`	`for variant in apache fpm fpm-alpine; do`
`69`	`69`	`commit="$(dirCommit "$variant")"`