Sec: Fix input validation in v-insert-dns-domain and a couple of other files

Lupul · Lupul · commit c3cc9640011d · 2019-08-19T08:45:28.000+03:00
diff --git a/bin/v-insert-dns-domain b/bin/v-insert-dns-domain
@@ -31,8 +31,14 @@ is_format_valid 'user' 'data'
 is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
-eval $data
+parse_object_kv_list "$data"
+
 domain="$DOMAIN"
+if [ -z "$domain" ]; then
+    check_result $E_ARGS "Domain name missing from DATA"
+fi
+is_format_valid 'domain'
+
 if [ "$flush" = 'no' ]; then
     is_domain_new 'dns' $domain
 fi
diff --git a/bin/v-insert-dns-record b/bin/v-insert-dns-record
@@ -30,6 +30,7 @@ is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'dns' 'DOMAIN' "$domain"
+parse_object_kv_list "$data"
 
 
 #----------------------------------------------------------#
diff --git a/bin/v-list-database-host b/bin/v-list-database-host
@@ -77,6 +77,7 @@ is_type_format_valid() {
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'TYPE HOST [FORMAT]'
+is_format_valid 'host'
 is_type_format_valid "$type"
 is_object_valid "../../conf/$type" 'HOST' "$host"
 
@@ -86,7 +87,7 @@ is_object_valid "../../conf/$type" 'HOST' "$host"
 #----------------------------------------------------------#
 
 # Parsing hosts
-eval $(grep "HOST='$host'" $HESTIA/conf/$type.conf)
+parse_object_kv_list $(grep "HOST='$host'" $HESTIA/conf/$type.conf)
 
 # Listing data
 case $format in
diff --git a/bin/v-sync-dns-cluster b/bin/v-sync-dns-cluster
@@ -21,6 +21,7 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
+is_format_valid 'host'
 is_system_enabled "$DNS_CLUSTER" 'DNS_CLUSTER'
 is_procces_running
 remote_dns_health_check 'no_email'
@@ -42,7 +43,7 @@ fi
 for cluster in $hosts; do
 
     # Parsing host values
-    eval $cluster
+    parse_object_kv_list "$cluster"
 
     # Wiping remote domains
     cluster_cmd v-delete-dns-domains-src $DNS_USER $HOSTNAME no
@@ -54,7 +55,7 @@ for cluster in $hosts; do
         for str in $(cat $HESTIA/data/users/$user/dns.conf); do
 
             # Syncing domain index
-            eval $str
+            parse_object_kv_list "$str"
             cluster_cmd v-insert-dns-domain $DNS_USER "$str" $HOSTNAME ' ' no
             check_result $? "$HOST connection failed" $E_CONNECT
 
