Browse Source

fix: sanitize domain input to prevent command injection

- Added input validation for the domain parameter to allow only alphanumeric characters, dots, and dashes.
- This mitigates a command injection vulnerability on line 9 where unsanitized user input could be injected into the sed command.
- The fix improves security for local script execution in multi-user environments or when the script is run with elevated privileges.
pull/334/head
Alperen 1 month ago
committed by GitHub
parent
commit
770fe178d2
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
1 changed files with 12 additions and 7 deletions
  1. +12
    -7
      adddomain.sh

+ 12
- 7
adddomain.sh View File

@@ -1,28 +1,33 @@
#!/bin/sh

domain="$1"
[ -z "$1" ] && exit
[ -z "$domain" ] && exit

# Input validation to allow only valid domain characters
if ! [[ "$domain" =~ ^[a-zA-Z0-9.-]+$ ]]; then
echo "Invalid domain format. Only alphanumeric characters, dashes, and dots are allowed."
exit 1
fi

domain="$1"
subdom="mail"

# Add the domain to the valid postfix addresses.
# Add the domain to the valid postfix addresses
grep -q "^mydestination.*$domain" /etc/postfix/main.cf ||
sed -i "s/^mydestination.*/&, $domain/" /etc/postfix/main.cf
sed -i "s/^mydestination.*/&, $domain/" /etc/postfix/main.cf

# Create DKIM for new domain.
# Create DKIM for the new domain
mkdir -p "/etc/postfix/dkim/$domain"
opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
chgrp -R opendkim /etc/postfix/dkim/*
chmod -R g+r /etc/postfix/dkim/*

# Add entries to keytable and signing table.
# Add entries to keytable and signing table
echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$domain/$subdom.private" >> /etc/postfix/dkim/keytable
echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable

systemctl reload opendkim postfix

# Print out DKIM TXT entry.
# Print out DKIM TXT entry
pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"

dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"


Loading…
Cancel
Save