fix(sentinel): add token validation to prevent command injection

Add validation to ensure sentinel tokens contain only safe characters (alphanumeric, dots, hyphens, underscores, plus, forward slash, equals), preventing OS command injection vulnerabilities when tokens are interpolated into shell commands. - Add ServerSetting::isValidSentinelToken() validation method - Validate tokens in StartSentinel action and metrics queries - Improve shell argument escaping with escapeshellarg() - Add comprehensive test coverage for token validation
2026-06-28 21:09:55 +00:00 · 2026-03-10 22:15:05 +01:00
parent 6fbb5e626a
commit 096d4369e5
5 changed files with 118 additions and 3 deletions
@@ -92,6 +92,15 @@ class ServerSetting extends Model
        });
    }

+    /**
+     * Validate that a sentinel token contains only safe characters.
+     * Prevents OS command injection when the token is interpolated into shell commands.
+     */
+    public static function isValidSentinelToken(string $token): bool
+    {
+        return (bool) preg_match('/\A[a-zA-Z0-9._\-+=\/]+\z/', $token);
+    }
+
    public function generateSentinelToken(bool $save = true, bool $ignoreEvent = false)
    {
        $data = [