Skip to content

Security: Fix command injection, path traversal, and hardcoded secrets #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Security: Fix command injection, path traversal, and hardcoded secrets #155

Copilot wants to merge 4 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 30, 2026
edited
Loading

Description

Comprehensive security review identified and resolved 9 vulnerabilities across shell scripts, Python code, and web endpoints.

Command Injection (High)

  • scripts/uefi-tools/uuefi-apply.sh, scripts/secure-boot/keys-centralize.sh: Replaced eval "$*" with "$@"
  • scripts/recovery/autonuke.py: Changed subprocess.run() default to shell=False with shlex.split()

Secrets & Credentials (High)

  • web/hardware_database_server.py: Replaced hardcoded Flask SECRET_KEY with os.environ.get('SECRET_KEY', secrets.token_hex(32))

Path Traversal (Critical)

  • web/hardware_database_server.py: Added alphanumeric validation and TOCTOU-resistant path resolution in download endpoint
# Validate input format
if not re.match(r'^[a-zA-Z0-9_-]+$', hardware_id):
    return "Invalid hardware ID format", 400

# Resolve symlinks and verify containment
profile_file = profile_file.resolve()
if not str(profile_file).startswith(str(UPLOADS_PATH.resolve())):
    return "Invalid file path", 400

Insecure Temp Files (Medium)

  • scripts/secure-boot/enable-secureboot-kexec.sh: Replaced predictable /tmp/phoenixboot_*.sh with mktemp

Input Validation (Medium)

  • scripts/recovery/nuclear-wipe.sh: Added device path regex validation, extracted to reusable function

Deprecated APIs

  • scripts/validation/detect_bootkit.py: Replaced os.system() with subprocess.run()

  • Breaking change?

  • Impacts security?

  • Includes tests?

How This Was Tested

  • CodeQL security scanning: 0 alerts
  • Shellcheck analysis: No critical errors
  • Python syntax validation: All files valid

Integration Instructions

Production deployments should set SECRET_KEY environment variable for web/hardware_database_server.py. If unset, a random key is generated (sessions invalidated on restart).

Original prompt

This section details on the original issue you should resolve

<issue_title>Full on review</issue_title>
<issue_description>For correctnes and posterity.</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits January 30, 2026 03:35
@P4X-ng
Fix security vulnerabilities: command injection, hardcoded secrets, p…
4ebf121 
…ath traversal, insecure temp files

Co-authored-by: P4X-ng <223870169+P4X-ng@users.noreply.github.com>
@P4X-ng
Fix shellcheck error: use loop instead of glob with -f test
6376e69 
Co-authored-by: P4X-ng <223870169+P4X-ng@users.noreply.github.com>
@P4X-ng
Address code review feedback: fix TOCTOU, shlex.split, DRY violation,…
6d5a4e1 
… and ARGS word splitting

Co-authored-by: P4X-ng <223870169+P4X-ng@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix issue with full review correctness Security: Fix command injection, path traversal, and hardcoded secrets Jan 30, 2026
Copilot AI requested a review from P4X-ng January 30, 2026 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@P4X-ng P4X-ng Awaiting requested review from P4X-ng

Assignees

Copilot code review Copilot

@P4X-ng P4X-ng

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Full on review

2 participants

@P4X-ng