From 43e601a08b1e3406bfb29e05b5580dd743668edb Mon Sep 17 00:00:00 2001 From: Cleboost Date: Mon, 11 May 2026 02:22:19 +0200 Subject: [PATCH] security: escape docker item names to prevent shell injection --- src/ui/docker.rs | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/ui/docker.rs b/src/ui/docker.rs index 41016e4..db1c147 100644 --- a/src/ui/docker.rs +++ b/src/ui/docker.rs @@ -288,11 +288,11 @@ impl DockerManager { let rb_c = rb_toggle.clone(); let c_str = cmd_str.clone(); glib::MainContext::default().spawn_local(async move { - let cmd = format!("DOCKER_BIN=$(if [ -w /var/run/docker.sock ]; then echo 'docker'; else echo 'sudo -n docker'; fi); $DOCKER_BIN {} {}", c_str, n_c); + let safe_name = n_c.replace('\'', "'\\''"); + let cmd = format!("DOCKER_BIN=$(if [ -w /var/run/docker.sock ]; then echo 'docker'; else echo 'sudo -n docker'; fi); $DOCKER_BIN {} '{}'", c_str, safe_name); let _ = run_remote_command(&h_c, p_c.as_deref(), &cmd).await; rb_c.emit_clicked(); - }); - }); + }); }); actions.append(&toggle_btn); } @@ -313,10 +313,11 @@ impl DockerManager { let rb_c = rb_del.clone(); glib::MainContext::default().spawn_local(async move { let sub_cmd = if is_c_del { "rm -f" } else { "rmi" }; - let cmd = format!("DOCKER_BIN=$(if [ -w /var/run/docker.sock ]; then echo 'docker'; else echo 'sudo -n docker'; fi); $DOCKER_BIN {} {}", sub_cmd, n_c); - let _ = run_remote_command(&h_c, p_c.as_deref(), &cmd).await; rb_c.emit_clicked(); - }); - }); + let safe_name = n_c.replace('\'', "'\\''"); + let cmd = format!("DOCKER_BIN=$(if [ -w /var/run/docker.sock ]; then echo 'docker'; else echo 'sudo -n docker'; fi); $DOCKER_BIN {} '{}'", sub_cmd, safe_name); + let _ = run_remote_command(&h_c, p_c.as_deref(), &cmd).await; + rb_c.emit_clicked(); + }); }); actions.append(&delete_btn); row.append(&actions);