escape special chars in username: - . \ @ (butlerx#406)

revarcline · Aug 2, 2022 · 1e4f173 · 1e4f173
1 parent 8722a71
commit 1e4f173
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/src/server/shared/shell.spec.ts b/src/server/shared/shell.spec.ts
@@ -8,6 +8,11 @@ describe('Values passed to escapeShell should be safe to pass woth sub processes
     expect(cmd).to.equal('testechohello');
   });
 
+  it('should allow usernames with special characters', () => {
+    const cmd = escapeShell('bob.jones\\COM@ultra-machine_dir');
+    expect(cmd).to.equal('bob.jones\\COM@ultra-machine_dir');
+  });
+
   it('should ensure args cant be flags', () => {
     const cmd = escapeShell("-oProxyCommand='bash' -c `wget localhost:2222`");
     expect(cmd).to.equal('oProxyCommandbash-cwgetlocalhost2222');

diff --git a/src/server/shared/shell.ts b/src/server/shared/shell.ts
@@ -1,2 +1,3 @@
 export const escapeShell = (username: string): string =>
-  username.replace(/^-|[^a-zA-Z0-9_-]/g, '');
+  // eslint-disable-next-line no-useless-escape
+  username.replace(/^-|[^a-zA-Z0-9_\\\-\.\@-]/g, '');