From 4667ce587f1009c7aa7a50c7f4cd626aa3a24367 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sat, 13 Jun 2026 13:13:57 +0000 Subject: [PATCH] wifi: fix command injection in iface.uc Add missing strict regex validation for `num_global_macaddr`, `mac_idx` and `data.mbssid` before they are interpolated into the `fs.popen()` shell command string. Signed-off-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> --- .../files-ucode/usr/share/ucode/wifi/iface.uc | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc index be27e5ae9ecd76..f3379703cfbe46 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/iface.uc @@ -269,8 +269,24 @@ export function prepare(data, phy, num_global_macaddr, macaddr_base) { return; } + if (num_global_macaddr != null && match(num_global_macaddr + "", /[^0-9]/)) { + warn("Invalid num_global_macaddr: ", num_global_macaddr, "\n"); + return; + } + + if (mac_idx != null && match(mac_idx + "", /[^0-9]/)) { + warn("Invalid mac_idx: ", mac_idx, "\n"); + return; + } + + let mbssid = data.mbssid ?? 0; + if (match(mbssid + "", /[^0-9]/)) { + warn("Invalid mbssid: ", mbssid, "\n"); + return; + } + if (!data.macaddr) { - let pipe = fs.popen(`ucode /usr/share/hostap/wdev.uc ${phy} get_macaddr id=${mac_idx} num_global=${num_global_macaddr} mbssid=${data.mbssid ?? 0} macaddr_base=${macaddr_base ?? ""}`); + let pipe = fs.popen(`ucode /usr/share/hostap/wdev.uc ${phy} get_macaddr id=${mac_idx} num_global=${num_global_macaddr} mbssid=${mbssid} macaddr_base=${macaddr_base ?? ""}`); data.macaddr = trim(pipe.read("all"), '\n'); pipe.close();