johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: SECURITY: Replace eval usage with safer alternatives (#59)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details

Browse source
This commit is contained in:
Agent 2026-03-31 18:10:14 +00:00
parent fd1a8555f6
commit 6758f10a7e
3 changed files with 36 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lib/mirrors.sh
View file

@ -13,7 +13,15 @@ mirror_push() {
local name url
for name in $MIRROR_NAMES; do
url=$(eval "echo \"\$MIRROR_$(echo "$name" | tr '[:lower:]' '[:upper:]')\"") || true
# Convert name to uppercase env var name safely (only alphanumeric allowed)
local upper_name
upper_name=$(printf '%s' "$name" | tr '[:lower:]' '[:upper:]')
# Validate: only allow alphanumeric + underscore in var name
if [[ ! "$upper_name" =~ ^[A-Z_][A-Z0-9_]*$ ]]; then
continue
fi
# Use indirect expansion safely (no eval)
url="${!upper_name:-}"
[ -z "$url" ] && continue
# Ensure remote exists with correct URL