From 2c331fdd6f071d8fda97bf1a030d820871c9e452 Mon Sep 17 00:00:00 2001
From: battlehax <sarnold85@gmail.com>
Date: Thu, 11 Nov 2021 11:32:30 -0600
Subject: [PATCH] Add files via upload (#174)

prevent unauthenticated remote code execution as root in the 'traceroute' function
---
 files/www/cgi-bin/api | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/files/www/cgi-bin/api b/files/www/cgi-bin/api
index c29086d7..8fb9e404 100755
--- a/files/www/cgi-bin/api
+++ b/files/www/cgi-bin/api
@@ -356,8 +356,11 @@ for page, comps in pairs(qsset) do
 		end
 	elseif page=="traceroute" then
 		for i,tonode in pairs(comps:split(',')) do
-			if tonode~="" then
+			-- Validate that input as ip or hostname inside the mesh
+			if tonode:match("^[%d%.]+$") or tonode:match("^[%d%a%-%.%_]+$") then
 				info['pages'][page][tonode]=getTraceroute(tonode)
+			else
+				info['pages'][page][tonode]="Invalid input!"
 			end
 		end
 	elseif page=="mesh" then