From bec3321fff4c6dc3b3dbc61fdc6fd98913988a78 Mon Sep 17 00:00:00 2001
From: Romain Vimont <rom@rom1v.com>
Date: Fri, 13 Sep 2024 19:53:05 +0200
Subject: [PATCH] Validate server arguments

Some command line arguments are passed as is to "adb shell". Therefore,
they must not contain special shell characters.
---
 app/src/server.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/app/src/server.c b/app/src/server.c
index 41517f18..b67cb8b2 100644
--- a/app/src/server.c
+++ b/app/src/server.c
@@ -218,6 +218,21 @@ sc_server_get_audio_source_name(enum sc_audio_source audio_source) {
     }
 }
 
+static bool
+validate_string(const char *s) {
+    // The parameters values are passed as command line arguments to adb, so
+    // they must either be properly escaped, or they must not contain any
+    // special shell characters.
+    // Since they are not properly escaped on Windows anyway (see
+    // sys/win/process.c), just forbid special shell characters.
+    if (strpbrk(s, " ;'\"*$?&`#\\|<>[]{}()!~")) {
+        LOGE("Invalid server param: [%s]", s);
+        return false;
+    }
+
+    return true;
+}
+
 static sc_pid
 execute_server(struct sc_server *server,
                const struct sc_server_params *params) {
@@ -260,6 +275,11 @@ execute_server(struct sc_server *server,
         } \
         cmd[count++] = p; \
     } while(0)
+#define VALIDATE_STRING(s) do { \
+        if (!validate_string(s)) { \
+            goto end; \
+        } \
+    } while(0)
 
     ADD_PARAM("scid=%08x", params->scid);
     ADD_PARAM("log_level=%s", log_level_to_server_string(params->log_level));
@@ -311,6 +331,7 @@ execute_server(struct sc_server *server,
         ADD_PARAM("tunnel_forward=true");
     }
     if (params->crop) {
+        VALIDATE_STRING(params->crop);
         ADD_PARAM("crop=%s", params->crop);
     }
     if (!params->control) {
@@ -321,9 +342,11 @@ execute_server(struct sc_server *server,
         ADD_PARAM("display_id=%" PRIu32, params->display_id);
     }
     if (params->camera_id) {
+        VALIDATE_STRING(params->camera_id);
         ADD_PARAM("camera_id=%s", params->camera_id);
     }
     if (params->camera_size) {
+        VALIDATE_STRING(params->camera_size);
         ADD_PARAM("camera_size=%s", params->camera_size);
     }
     if (params->camera_facing != SC_CAMERA_FACING_ANY) {
@@ -331,6 +354,7 @@ execute_server(struct sc_server *server,
             sc_server_get_camera_facing_name(params->camera_facing));
     }
     if (params->camera_ar) {
+        VALIDATE_STRING(params->camera_ar);
         ADD_PARAM("camera_ar=%s", params->camera_ar);
     }
     if (params->camera_fps) {
@@ -346,15 +370,19 @@ execute_server(struct sc_server *server,
         ADD_PARAM("stay_awake=true");
     }
     if (params->video_codec_options) {
+        VALIDATE_STRING(params->video_codec_options);
         ADD_PARAM("video_codec_options=%s", params->video_codec_options);
     }
     if (params->audio_codec_options) {
+        VALIDATE_STRING(params->audio_codec_options);
         ADD_PARAM("audio_codec_options=%s", params->audio_codec_options);
     }
     if (params->video_encoder) {
+        VALIDATE_STRING(params->video_encoder);
         ADD_PARAM("video_encoder=%s", params->video_encoder);
     }
     if (params->audio_encoder) {
+        VALIDATE_STRING(params->audio_encoder);
         ADD_PARAM("audio_encoder=%s", params->audio_encoder);
     }
     if (params->power_off_on_close) {