docsy icon indicating copy to clipboard operation
docsy copied to clipboard
verified publisher icon google

scripts/make-site.sh: avoid eval and validate DOCSY_VERS to prevent command injection

Open thesmartshadow opened this issue 1 month ago • 1 comments

Summary

This PR hardens scripts/make-site.sh by removing unsafe shell eval usage and validating user-controlled inputs (notably -v / DOCSY_VERS) to prevent OS command injection during Hugo module operations.

Background / Root Cause

DOCSY_VERS is provided via the -v flag and is incorporated into the Hugo module reference. The script previously used eval for Hugo module commands, which can turn attacker-influenced data into shell syntax (command separators / metacharacters), resulting in unintended command execution.

Fix

  • Remove eval from Hugo / Hugo-module invocation paths and pass arguments safely.
  • Add conservative allowlist validation for DOCSY_VERS and DOCSY_REPO (reject whitespace / shell metacharacters and unexpected patterns).
  • Preserve existing behavior for valid refs/tags/branches; invalid inputs now fail fast with a clear error.

Why this matters (realistic threat model)

Docsy’s own documentation references automated build/publish workflows (e.g., PR deploy previews). In real build/preview pipelines, values such as refs/branches/tags and other derived parameters can become attacker-influenced (directly or indirectly) and reach scripts like make-site.sh. When DOCSY_VERS is concatenated into a string executed via eval, shell metacharacters can be interpreted as commands (build-time OS command injection). This can impact the CI runner, secrets available to the job, and the integrity of generated/published artifacts (supply-chain risk).

Security impact

This is a build-time hardening change. If -v is influenced by untrusted CI inputs or build automation parameters, the previous eval usage could enable command execution in the build environment, potentially impacting:

  • CI runner integrity
  • secrets exposure
  • artifact integrity (supply-chain risk)

Security classification

  • CWE-78: OS Command Injection
  • Contributing weakness: unsafe use of eval with attacker-influenced data

Testing

  • Verified: ./scripts/make-site.sh -s HUGO -v main still works as expected.
  • Verified: malicious/invalid -v values are rejected and do not get executed.

References

  • CWE-78: OS Command Injection

thesmartshadow avatar Dec 06 '25 09:12 thesmartshadow

Hi maintainers this PR removes unsafe eval usage in scripts/make-site.sh and validates -v (DOCSY_VERS) to prevent shell metacharacter injection in Hugo module operations.

Current status shows:

  • “Review required” (needs 1 approving review from a maintainer)
  • “Workflows awaiting approval” (CI for forks requires maintainer approval)

If you can:

  1. Approve/run the pending workflows, and
  2. Review the change,

I verified:

  • ./scripts/make-site.sh -s HUGO -v main still works
  • malicious/invalid -v values are rejected and not executed

Thanks!

thesmartshadow avatar Dec 06 '25 10:12 thesmartshadow