Add Arch Linux server support and fix package sanitization

- Add Arch Linux (pacman) support to server operations: CheckUpdates, InstallDocker, InstallPrerequisites, UpdatePackage - Implement parsePacmanOutput() to parse 'pacman -Qu' output format - Add security improvement: package name sanitization to prevent command injection - Initialize variables in CheckUpdates to prevent undefined variable errors in catch block - Use proper Arch pacman flags: -Syu for full system upgrade before operations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-18 03:20:26 +00:00 · 2025-12-08 09:02:00 +01:00
parent a5b13b57cc
commit 9bb77da9a4
4 changed files with 94 additions and 3 deletions
--- a/app/Actions/Server/UpdatePackage.php
+++ b/app/Actions/Server/UpdatePackage.php
@@ -20,18 +20,36 @@ class UpdatePackage
                    'error' => 'Server is not reachable or not ready.',
                ];
            }
+
+            // Sanitize package name to prevent command injection
+            // Only allow alphanumeric characters, hyphens, underscores, periods, plus signs, and colons
+            // These are valid characters in package names across most package managers
+            $sanitizedPackage = '';
+            if ($package !== null && ! $all) {
+                if (! preg_match('/^[a-zA-Z0-9._+:-]+$/', $package)) {
+                    return [
+                        'error' => 'Invalid package name. Package names can only contain alphanumeric characters, hyphens, underscores, periods, plus signs, and colons.',
+                    ];
+                }
+                $sanitizedPackage = escapeshellarg($package);
+            }
+
            switch ($packageManager) {
                case 'zypper':
                    $commandAll = 'zypper update -y';
-                    $commandInstall = 'zypper install -y '.$package;
+                    $commandInstall = 'zypper install -y '.$sanitizedPackage;
                    break;
                case 'dnf':
                    $commandAll = 'dnf update -y';
-                    $commandInstall = 'dnf update -y '.$package;
+                    $commandInstall = 'dnf update -y '.$sanitizedPackage;
                    break;
                case 'apt':
                    $commandAll = 'apt update && apt upgrade -y';
-                    $commandInstall = 'apt install -y '.$package;
+                    $commandInstall = 'apt install -y '.$sanitizedPackage;
+                    break;
+                case 'pacman':
+                    $commandAll = 'pacman -Syu --noconfirm';
+                    $commandInstall = 'pacman -S --noconfirm '.$sanitizedPackage;
                    break;
                default:
                    return [