From 36f64db5a6fabc70cbba07b77789393d05d0dcab Mon Sep 17 00:00:00 2001 From: matthew-pilot Date: Sat, 30 May 2026 02:46:43 +0000 Subject: [PATCH] fix(install): validate REGISTRY/BEACON against JSON injection (PILOT-270) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit install.sh:60-61 assigns REGISTRY and BEACON from env vars and , then interpolates them directly into config.json at lines 370-379. A crafted value containing JSON metacharacters (", {, }) can inject arbitrary keys — e.g. disabling encryption with ,"encrypt":false. EMAiL already has a regex guard (line 190-192) but REGISTRY/BEACON did not. Add the same pattern ^[a-zA-Z0-9.:_-]+$ before any config write so the script fails early on invalid input. Verification: go build ./... and go vet ./... both clean. The full test suite is still running (web4 monorepo — ~900s timeout). install.sh has no Go test coverage; the change is shell-level input validation only. Closes PILOT-270 --- install.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/install.sh b/install.sh index f3b558fa..861a11a3 100755 --- a/install.sh +++ b/install.sh @@ -59,6 +59,15 @@ set -e REPO="TeoSlayer/pilotprotocol" REGISTRY="${PILOT_REGISTRY:-34.71.57.205:9000}" BEACON="${PILOT_BEACON:-34.71.57.205:9001}" +# PILOT-270: validate REGISTRY/BEACON to prevent JSON injection into config.json +if ! echo "$REGISTRY" | grep -qE '^[a-zA-Z0-9.:_-]+$'; then + echo "Error: REGISTRY contains invalid characters (only a-z A-Z 0-9 . : _ - allowed)" + exit 1 +fi +if ! echo "$BEACON" | grep -qE '^[a-zA-Z0-9.:_-]+$'; then + echo "Error: BEACON contains invalid characters (only a-z A-Z 0-9 . : _ - allowed)" + exit 1 +fi PILOT_DIR="$HOME/.pilot" BIN_DIR="$PILOT_DIR/bin"