From 88d5dbf010891104da039f302a5b0cb96bd97795 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 1 Feb 2022 01:55:09 +0000 Subject: [PATCH] Add more escaping to server infection --- lib/logic/api_maps/hetzner.dart | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/lib/logic/api_maps/hetzner.dart b/lib/logic/api_maps/hetzner.dart index f78595c1..cf50d7a6 100644 --- a/lib/logic/api_maps/hetzner.dart +++ b/lib/logic/api_maps/hetzner.dart @@ -115,13 +115,25 @@ class HetznerApi extends ApiMap { final apiToken = StringGenerators.apiToken(); // Replace all non-alphanumeric characters with an underscore - final hostname = domainName.split('.')[0].replaceAll(RegExp(r'[^a-zA-Z0-9]'), '-'); + var hostname = domainName.split('.')[0].replaceAll(RegExp(r'[^a-zA-Z0-9]'), '-'); + // if hostname ends with -, remove it + if (hostname.endsWith('-')) { + hostname = hostname.substring(0, hostname.length - 1); + } + // if hostname starts with -, remove it + if (hostname.startsWith('-')) { + hostname = hostname.substring(1); + } + // if hostname is empty, use default + if (hostname.isEmpty) { + hostname = 'selfprivacy-server'; + } /// add ssh key when you need it: e.g. "ssh_keys":["kherel"] /// check the branch name, it could be "development" or "master". var data = jsonDecode( - '''{"name":"$domainName","server_type":"cx11","start_after_create":false,"image":"ubuntu-20.04", "volumes":[$dbId], "networks":[], "user_data":"#cloud-config\\nruncmd:\\n- curl https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect/raw/branch/master/nixos-infect | PROVIDER=hetzner NIX_CHANNEL=nixos-21.05 DOMAIN=$domainName LUSER=${rootUser.login} PASSWORD=${rootUser.password} CF_TOKEN=$cloudFlareKey DB_PASSWORD=$dbPassword API_TOKEN=$apiToken HOSTNAME=$hostname bash 2>&1 | tee /tmp/infect.log","labels":{},"automount":true, "location": "fsn1"}'''); + '''{"name":"$hostname","server_type":"cx11","start_after_create":false,"image":"ubuntu-20.04", "volumes":[$dbId], "networks":[], "user_data":"#cloud-config\\nruncmd:\\n- curl https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect/raw/branch/master/nixos-infect | PROVIDER=hetzner NIX_CHANNEL=nixos-21.05 DOMAIN='$domainName' LUSER='${escapeSingleQuotes(rootUser.login)}' PASSWORD='${escapeSingleQuotes(rootUser.password)}' CF_TOKEN=$cloudFlareKey DB_PASSWORD=${escapeSingleQuotes(dbPassword)} API_TOKEN=$apiToken HOSTNAME=${escapeSingleQuotes(hostname)} bash 2>&1 | tee /tmp/infect.log","labels":{},"automount":true, "location": "fsn1"}'''); Response serverCreateResponse = await client.post( '/servers', @@ -226,3 +238,8 @@ class HetznerApi extends ApiMap { close(client); } } + +String escapeSingleQuotes(String str) { + // replace all single quotes with escaped single quotes for bash strong quotes (i.e. '\'' ) + return str.replaceAll(RegExp(r"'"), "'\\''"); +}