fix: Changed order of escape to prevent RCE

This commit is contained in:
Yassine DAMIRI
2026-04-20 01:00:43 +02:00
parent 34374cbe09
commit 46bf3274d8
+2 -2
View File
@@ -123,8 +123,8 @@ const setupCertbotPlugins = async () => {
// Escape single quotes and backslashes
if (typeof certificate.meta.dns_provider_credentials === "string") {
const escapedCredentials = certificate.meta.dns_provider_credentials
.replaceAll("'", "\\'")
.replaceAll("\\", "\\\\");
.replaceAll("\\", "\\\\")
.replaceAll("'", "\\'");
const credentials_cmd = `[ -f '${credentials_loc}' ] || { mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo '${escapedCredentials}' > '${credentials_loc}' && chmod 600 '${credentials_loc}'; }`;
promises.push(utils.exec(credentials_cmd));
}