Bug #19457
Updated by Alexis Mousset almost 3 years ago
Currently the webapp allows anything in the @[a-zA-Z0-9\-]@ range (which includes things like @--insecure@ while on agent side the inventory check script is much stricter and checks for:
<pre>
($uuid ne "root" \&\& $uuid !~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i))
</pre>
As this check is already present at inventory creation, we can apply it pretty safely on the webapp side, or a at least prevent dash as first char. side.
This would avoid option injection in commands using node id as argument.