Rudder

Currently the webapp allows anything in the [a-zA-Z0-9\-] range (which includes things like --insecure while on agent side the inventory check script is much stricter and checks for:

($uuid ne "root" \&\& $uuid !~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i))

As this check is already present at inventory creation, we can apply it pretty safely on the webapp side, or a at least prevent dash as first char.

This would avoid option injection in commands using node id as argument.

For hostnames, currently toto " $ <b>tutu</b><script>alert(1);</script> is accepted as a valid hostname.

Given the hostname is used in several places, including command arguments, it could be a good thing to restrict its content to a reasonable char set to prevent various injections.