Skip to content

fix: add missing quote and backslash chars to sanitize_input to preve…#316

Merged
utksh1 merged 1 commit into
utksh1:mainfrom
Midoriya-w:fix/sanitize-input-command-injection
May 26, 2026
Merged

fix: add missing quote and backslash chars to sanitize_input to preve…#316
utksh1 merged 1 commit into
utksh1:mainfrom
Midoriya-w:fix/sanitize-input-command-injection

Conversation

@Midoriya-w
Copy link
Copy Markdown
Contributor

@Midoriya-w Midoriya-w commented May 26, 2026

fix: patch command injection bypass in sanitize_input()

Closes #309

Problem

sanitize_input() was missing critical shell characters from its blocklist, allowing attackers to bypass sanitization using quoted strings or backslash sequences.

Changes

  • Updated dangerous_chars in backend/secuscan/validation.py to include:
    • ' — single quote (breaks out of quoted strings)
    • " — double quote (breaks out of double-quoted strings)
    • \ — backslash (escapes characters)
    • ! — bash history expansion
    • { } — brace expansion

Before / After

# Before
dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r']

# After
dangerous_chars = [';', '|', '&', '$', '`', '(', ')', '<', '>', '\n', '\r', "'", '"', '\\', '!', '{', '}']

Security Impact

Severity: High — Attackers could bypass sanitization and inject shell commands using quoted strings or backslash sequences on any input passed to shell commands.

@Midoriya-w Midoriya-w mentioned this pull request May 26, 2026
Closed
@utksh1 utksh1 added area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests type:security Security work category bonus label type:bug Bug fix work category bonus label level:beginner 20 pts difficulty label for small beginner-friendly PRs quality:clean Contributor score x1.2; mentor +5 pts gssoc:approved Admin validation: approved for GSSoC scoring labels May 26, 2026
utksh1
utksh1 approved these changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@utksh1 utksh1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved for merge. This is a focused sanitize_input hardening change that removes additional shell-sensitive characters without unrelated churn, and CI is green.

This was referenced May 26, 2026
Merged
Closed
@utksh1 utksh1 merged commit a1f1c5e into utksh1:main May 26, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@utksh1 utksh1 utksh1 approved these changes

Assignees

No one assigned

Labels

area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests gssoc:approved Admin validation: approved for GSSoC scoring level:beginner 20 pts difficulty label for small beginner-friendly PRs quality:clean Contributor score x1.2; mentor +5 pts type:bug Bug fix work category bonus label type:security Security work category bonus label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] [Security] sanitize_input() missing quotes and backslash command injection still possible

2 participants

@Midoriya-w @utksh1