Skip to content

Sec/security hardening#226

Open
FUjr wants to merge 5 commits into
mainfrom
sec/security-hardening
Open

Sec/security hardening#226
FUjr wants to merge 5 commits into
mainfrom
sec/security-hardening

Conversation

@FUjr

@FUjr FUjr commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

This PR hardens QModem command execution and SMS rendering paths against injection and XSS-style risks.

Changes

  • Quote modem AT/SMS command arguments in shell scripts.
  • Harden qmodem_sms ucode RPC command execution:
    • validate config section, device paths, PDU, SIM index, and SMS storage values
    • quote shell arguments before popen() / system()
    • stop returning unused internal SMS config/raw SIM payload fields
  • Harden legacy LuCI SMS controller command execution.
  • Harden legacy LuCI/QModem Lua command execution paths:
    • add action allowlist for modem_ctrl
    • quote dynamic shell arguments
    • replace unsafe sysfs echo > path with file writes
    • replace several io.popen("ls ...") directory listings with nixio.fs.dir()
  • Render SMS/PDU data as text instead of HTML in legacy and shared SMS UI helpers.

Validation

  • sh -n passed for modified shell scripts.
  • node --check passed for sms-pdu.js.
  • git diff --check passed for the security commits.
  • Static scan confirmed targeted SMS UI files no longer use innerHTML.

Notes

Lua and ucode syntax checks were not run locally because lua, luac, and ucode are not installed in this environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant