Pi-Hole/PADD
1
0
Fork 0
mirror of https://github.com/pi-hole/PADD.git synced 2026-05-08 09:09:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent credential leakage via curl process information

Browse Source 
Use a heredoc to pass the SID, password and totp to curl so they don't
appear in process list.

Signed-off-by: Rob Gill <rrobgill@protonmail.com>
This commit is contained in:
Rob Gill
2026-03-14 04:20:41 +10:00
parent 86527ea5b4
commit 270db97491
1 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
padd.sh
+21 -3
View File
@@ -274,7 +274,13 @@ DeleteSession() {
# SID is not null (successful authenthication only), delete the session
if [ "${validSession}" = true ] && [ "${SID}" != null ]; then
# Try to delete the session. Omit the output, but get the http status code
deleteResponse=$(curl --connect-timeout 2 -skS -o /dev/null -w "%{http_code}" -X DELETE "${API_URL}auth" -H "Accept: application/json" -H "sid: ${SID}")
# SID is passed via stdin config (-K -) to prevent leakage via process information
deleteResponse=$(curl --connect-timeout 2 -skS -o /dev/null -w "%{http_code}" -X DELETE "${API_URL}auth" \
-H "Accept: application/json" \
-K - <<EOF
header = "sid: ${SID}"
EOF
)
printf "\n\n"
case "${deleteResponse}" in
@@ -289,7 +295,13 @@ DeleteSession() {
}
Authenticate() {
sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" --user-agent "PADD ${padd_version}" --data "{\"password\":\"${password}\", \"totp\":${totp:-null}}" )"
sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" \
--user-agent "PADD ${padd_version}" \
-H "Content-Type: application/json" \
--data-binary @- <<EOF
{"password":"${password}", "totp":${totp:-null}}
EOF
)"
if [ -z "${sessionResponse}" ]; then
moveXOffset; echo "No response from FTL server. Please check connectivity and use the options to set the API URL"
@@ -311,7 +323,13 @@ GetFTLData() {
local status
# get the data from querying the API as well as the http status code, include delimiter for ease in splitting payload
response=$(curl --connect-timeout 2 -sk -w ">>%{http_code}" -X GET "${API_URL}$1$2" -H "Accept: application/json" -H "sid: ${SID}" )
# SID is passed via stdin config (-K -) to prevent leakage via process information
response=$(curl --connect-timeout 2 -sk -w ">>%{http_code}" -X GET "${API_URL}$1$2" \
-H "Accept: application/json" \
-K - <<EOF
header = "sid: ${SID}"
EOF
)
# status is the response http_code, eg. 200, 401.
# Shell parameter expansion, remove everything up to and including the >> delim