Bug #19457
Updated by François ARMAND almost 3 years ago
Currently the webapp allows anything in the @[a-zA-Z0-9\-]@ range (which includes things like @--insecure@ while on agent side the inventory check script is much stricter and checks for:
<pre>
($uuid ne "root" \&\& $uuid !~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i))
</pre>
As this check is already present at inventory creation, we can apply it pretty safely on the webapp side, or a at least prevent dash as first char.
This would avoid option injection in commands using node id as argument.
For hostnames, currently @toto " $ <b>tutu</b><script>alert(1);</script>@ is accepted as a valid hostname.
Given the hostname is used in several places, including command arguments, it could be a good thing to restrict its content to a reasonable char set to prevent various injections.