Context
The dotfiles module recently received a fix to address insecure shell expansion and missing input validation in its run.sh script. The fix added:
- Strict character whitelist validation on URI inputs
- URL scheme validation (only
https?://, ssh://, git@, git://)
- Proper double-quoting of all shell variables
This same class of vulnerability — unvalidated and/or unquoted user-controllable inputs interpolated into shell scripts — exists across many other modules in the registry. These need the same treatment.
Affected Modules
High Priority (user-provided URLs/paths used without validation)
git-clone/run.sh
REPO_URL is passed directly to git clone with no input validation (no character whitelist, no URL format check)CLONE_PATH and BRANCH_NAME are also unvalidatedPOST_CLONE_SCRIPT is base64-decoded and executed (by design, but worth noting)
personalize/run.sh
$SCRIPT (from PERSONALIZE_PATH) is used unquoted in multiple places: [ ! -f $SCRIPT ], [ ! -x $SCRIPT ], and direct execution $SCRIPT- Word splitting and globbing possible via crafted paths
filebrowser/run.sh
$ROOT_DIR, ${DB_PATH}, ${LOG_PATH}, ${SERVER_BASE_PATH}, ${PORT} are used unquoted in commands- e.g.
filebrowser config set --baseURL=${SERVER_BASE_PATH} --port=${PORT} ... --root=$ROOT_DIR
tee -a ${LOG_PATH} is also unquoted
code-server/run.sh
${ADDITIONAL_ARGS} is expanded unquoted in the run_code_server function- Extension names passed to
--install-extension without validation
Medium Priority (internal/credential values, but still unquoted)
jfrog-oauth/run.sh and jfrog-token/run.sh
${JFROG_URL}, ${JFROG_SERVER_ID}, ${ARTIFACTORY_USERNAME} used without quoting${REGISTER_DOCKER} is expanded and executed as a bare command
vault-github/run.sh
${AUTH_PATH}, ${GITHUB_EXTERNAL_AUTH_ID} used in commands without strict validation
vault-jwt/run.sh
${VAULT_JWT_AUTH_PATH}, ${VAULT_JWT_ROLE} used in vault write command without validation
vault-token/run.sh
${VAULT_NAMESPACE} used without validation
github-upload-public-key/run.sh
$CODER_EXTERNAL_AUTH_ID used unquoted in commands$GITHUB_API_URL used unquoted in curl calls
Recommended Fix Pattern
Follow the pattern established in the dotfiles module fix:
- Input validation — For URL inputs, add a strict character whitelist regex (e.g.
[^a-zA-Z0-9._/:@-]) and validate the URL scheme. For path inputs, validate against shell metacharacters.
- Quote all variables — Every
$VAR and ${VAR} used in shell commands must be wrapped in double quotes to prevent word splitting and globbing.
set -euo pipefail — Ensure all scripts start with this for fail-fast behavior (some already do, some don't).- Test coverage — Verify that valid inputs still work and that payloads containing
;, &, |, $, backticks, (, ) etc. are rejected.
Example: git-clone/run.sh
Before:
REPO_URL="${REPO_URL}"
# ... no validation ...
git clone "$REPO_URL" "$CLONE_PATH"After (following dotfiles pattern):
REPO_URL="${REPO_URL}"
if [ -n "$REPO_URL" ]; then
if [[ "$REPO_URL" =~ [^a-zA-Z0-9._/:@-] ]]; then
echo "ERROR: REPO_URL contains invalid characters" >&2
exit 1
fi
if ! [[ "$REPO_URL" =~ ^(https?://|ssh://|git@|git://) ]]; then
echo "ERROR: REPO_URL must be a valid repository URL" >&2
exit 1
fi
fiCreated on behalf of @DevelopmentCats
Context
The
dotfilesmodule recently received a fix to address insecure shell expansion and missing input validation in itsrun.shscript. The fix added:https?://,ssh://,git@,git://)This same class of vulnerability — unvalidated and/or unquoted user-controllable inputs interpolated into shell scripts — exists across many other modules in the registry. These need the same treatment.
Affected Modules
High Priority (user-provided URLs/paths used without validation)
git-clone/run.shREPO_URLis passed directly togit clonewith no input validation (no character whitelist, no URL format check)CLONE_PATHandBRANCH_NAMEare also unvalidatedPOST_CLONE_SCRIPTis base64-decoded and executed (by design, but worth noting)personalize/run.sh$SCRIPT(fromPERSONALIZE_PATH) is used unquoted in multiple places:[ ! -f $SCRIPT ],[ ! -x $SCRIPT ], and direct execution$SCRIPTfilebrowser/run.sh$ROOT_DIR,${DB_PATH},${LOG_PATH},${SERVER_BASE_PATH},${PORT}are used unquoted in commandsfilebrowser config set --baseURL=${SERVER_BASE_PATH} --port=${PORT} ... --root=$ROOT_DIRtee -a ${LOG_PATH}is also unquotedcode-server/run.sh${ADDITIONAL_ARGS}is expanded unquoted in therun_code_serverfunction--install-extensionwithout validationMedium Priority (internal/credential values, but still unquoted)
jfrog-oauth/run.shandjfrog-token/run.sh${JFROG_URL},${JFROG_SERVER_ID},${ARTIFACTORY_USERNAME}used without quoting${REGISTER_DOCKER}is expanded and executed as a bare commandvault-github/run.sh${AUTH_PATH},${GITHUB_EXTERNAL_AUTH_ID}used in commands without strict validationvault-jwt/run.sh${VAULT_JWT_AUTH_PATH},${VAULT_JWT_ROLE}used invault writecommand without validationvault-token/run.sh${VAULT_NAMESPACE}used without validationgithub-upload-public-key/run.sh$CODER_EXTERNAL_AUTH_IDused unquoted in commands$GITHUB_API_URLused unquoted incurlcallsRecommended Fix Pattern
Follow the pattern established in the
dotfilesmodule fix:[^a-zA-Z0-9._/:@-]) and validate the URL scheme. For path inputs, validate against shell metacharacters.$VARand${VAR}used in shell commands must be wrapped in double quotes to prevent word splitting and globbing.set -euo pipefail— Ensure all scripts start with this for fail-fast behavior (some already do, some don't).;,&,|,$, backticks,(,)etc. are rejected.Example:
git-clone/run.shBefore:
After (following dotfiles pattern):
Created on behalf of @DevelopmentCats