From 7c85d5e6777e9f9f0e23984688ca33180638c1fb Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 8 Jan 2024 18:25:32 +0100
Subject: [PATCH] Sanitize input var in script

---
 scripts/letsencrypt_authenticator.sh | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/scripts/letsencrypt_authenticator.sh b/scripts/letsencrypt_authenticator.sh
index 516d66c03..78e59c675 100755
--- a/scripts/letsencrypt_authenticator.sh
+++ b/scripts/letsencrypt_authenticator.sh
@@ -3,12 +3,26 @@
 # A manual hook for letsencrypt renewal with DNS
 #-------------------------------------------
 
+#LET'S ENCRYPT VARIABLES
+#
+#CERTBOT_DOMAIN: The domain being authenticated
+#CERTBOT_ALL_DOMAINS: A comma-separated list of all domains challenged for the current certificate
+#CERTBOT_VALIDATION: The validation string
+#CERTBOT_TOKEN: Resource name part of the HTTP-01 challenge (HTTP-01 only)
+#CERTBOT_REMAINING_CHALLENGES: Number of challenges remaining after the current challenge
+
 verbose=true
 echo ----- letsencrypt_authenticator.sh -----
 echo "CERTBOT_DOMAIN=$CERTBOT_DOMAIN"
 echo "CERTBOT_ALL_DOMAINS=$CERTBOT_ALL_DOMAINS"
 echo "CERTBOT_VALIDATION=$CERTBOT_VALIDATION"
 echo "CERTBOT_REMAINING_CHALLENGES=$CERTBOT_REMAINING_CHALLENGES"
+
+# Sanitize input data
+CERTBOT_DOMAIN=$(echo $CERTBOT_DOMAIN |  tr -cd '[:alnum:][_\-][\.]')
+CERTBOT_VALIDATION=$(echo $CERTBOT_VALIDATION |  tr -cd '[:alnum:][_\-]')
+CERTBOT_REMAINING_CHALLENGES=$(echo $CERTBOT_REMAINING_CHALLENGES |  tr -cd '[:alnum:][_\-]')
+
 export subdomain=$CERTBOT_DOMAIN
 if [[ "x$subdomain" == "x" ]]; then
 	export subdomain=`grep '^subdomain=' /etc/sellyoursaas.conf | cut -d '=' -f 2`
@@ -16,19 +30,11 @@ fi
 # Sanitize variable
 subdomain=${subdomain//[^a-zA-Z0-9.-]/}
 
-
 zone_file="/etc/bind/${subdomain}.hosts"
 echo "zone_file=$zone_file"
 
-#current_certificates="/etc/letsencrypt/live/withX.mydomain.com/*pem"
 
-#LET'S ENCRYPT VARIABLES
-#
-#CERTBOT_DOMAIN: The domain being authenticated
-#CERTBOT_ALL_DOMAINS: A comma-separated list of all domains challenged for the current certificate
-#CERTBOT_VALIDATION: The validation string
-#CERTBOT_TOKEN: Resource name part of the HTTP-01 challenge (HTTP-01 only)
-#CERTBOT_REMAINING_CHALLENGES: Number of challenges remaining after the current challenge
+#current_certificates="/etc/letsencrypt/live/withX.mydomain.com/*pem"
 
 if [ -z "$CERTBOT_DOMAIN" ] || [ -z "$CERTBOT_VALIDATION" ]
 then
@@ -46,9 +52,9 @@ fi
 #current_checksums=$(md5sum $current_certificates)
 #$verbose && echo -e "current certificates md5sums :\n$current_checksums"
 
-old_serial=$(grep serial $zone_file |awk '{print $1}')
+old_serial=$(grep serial $zone_file | awk '{print $1}' | tr -cd '[:alnum:][_\-]')
 new_serial=$((old_serial+1))
-old_challenge=$(grep _acme-challenge $zone_file | awk '{print $4}' | head -n 1)
+old_challenge=$(grep _acme-challenge $zone_file | awk '{print $4}' | head -n 1 | tr -cd '[:alnum:][_\-]')
 new_challenge="\"$CERTBOT_VALIDATION\""
 $verbose && echo "old serial : $old_serial"
 $verbose && echo "new serial : $new_serial"