[femu_test] Prevent remote command execution in the FEMU guest.
See https://fxbug.dev/80614.
Change-Id: I718fa63881f71fb5640dbf987dd0518390017849
Reviewed-on: https://flutter-review.googlesource.com/c/recipes/+/15480
Reviewed-by: David Worsham <dworsham@google.com>
Reviewed-by: Keyong Han <keyonghan@google.com>
Commit-Queue: Darren Chan <chandarren@google.com>
diff --git a/recipes/femu_test.resources/run_vdl_test.sh b/recipes/femu_test.resources/run_vdl_test.sh
index 8e21a72..42c6de9 100644
--- a/recipes/femu_test.resources/run_vdl_test.sh
+++ b/recipes/femu_test.resources/run_vdl_test.sh
@@ -79,12 +79,39 @@
shift
;;
-t=*|--run_test=*)
+ # Prevent command injection. It's safer to specify every character
+ # rather than using ranges: https://unix.stackexchange.com/a/355676.
+ #
+ # https://fuchsia.dev/fuchsia-src/concepts/packages/package_url#package-name
+ # describes the set of allowed characters in package names.
+ case "${arg#*=}" in *[!0123456789abcdefghijklmnopqrstuvwxyz\-_.]*)
+ echo "Invalid argument for --run_test: ${arg#*=}"
+ exit 1
+ ;;
+ esac
RUN_TESTS+="${arg#*=}"
;;
--test_suite=*)
+ # Prevent command injection. It's safer to specify every character
+ # rather than using ranges: https://unix.stackexchange.com/a/355676.
+ #
+ # https://fuchsia.dev/fuchsia-src/concepts/packages/package_url#package-name
+ # describes the set of allowed characters in package names.
+ case "${arg#*=}" in *[!0123456789abcdefghijklmnopqrstuvwxyz\-_.]*)
+ echo "Invalid argument for --test_suite: ${arg#*=}"
+ exit 1
+ ;;
+ esac
TEST_SUITES+="${arg#*=}"
;;
-t=*|--test_args=*)
+ # Prevent command injection. It's safer to specify every character
+ # rather than using ranges: https://unix.stackexchange.com/a/355676.
+ case "${arg#*=}" in *[!0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\-_.:=*\ ]*)
+ echo "Invalid argument for --test_args: ${arg#*=}"
+ exit 1
+ ;;
+ esac
TEST_ARGS+="${arg#*=}"
;;
*)
