From a351fb1e73439f5978e0a665c127c3c618868889 Mon Sep 17 00:00:00 2001
From: Oliver Baer <75138893+mrwind-up-bird@users.noreply.github.com>
Date: Wed, 25 Mar 2026 22:16:19 +0100
Subject: [PATCH] fix(autofix): Command injection in VPS setup script

---
 scripts/setup-vps.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/setup-vps.sh b/scripts/setup-vps.sh
index 23b4310..a4e231d 100755
--- a/scripts/setup-vps.sh
+++ b/scripts/setup-vps.sh
@@ -40,7 +40,10 @@ fi
 echo "==> Generating secrets and creating .env..."
 FERNET_KEY=$(docker run --rm python:3.11-slim python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())" 2>/dev/null || echo "GENERATE_ME")
 JWT_SECRET=$(openssl rand -hex 32)
-PG_PASSWORD=$(openssl rand -base64 32 | tr -d '=+/')
+    # Validate SUDO_USER contains only safe characters (alphanumeric, dash, underscore)
+    if [[ "$SUDO_USER" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+        usermod -aG docker "$SUDO_USER"
+    fi
 
 cat > /opt/minirag/.env <<EOF
 # ── Domain ────────────────────────────────────────────────