From e06932e73e965c8e47976f6849c7d675b19b82b7 Mon Sep 17 00:00:00 2001 From: Robertkill Date: Wed, 20 May 2026 09:24:47 +0800 Subject: [PATCH] fix(eventlog): avoid shell injection via .desktop filename in dpkg -S lookup Use exec.Command("dpkg", "-S", desktop) directly instead of exec.Command("/bin/bash", "-c", ...) to prevent shell metacharacter expansion in the desktop file path. A malicious .desktop file named e.g. $(cmd).desktop would have the embedded command executed when the application is launched and eventlog tries to look up its package name via dpkg. --- session/eventlog/app_event.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/session/eventlog/app_event.go b/session/eventlog/app_event.go index 5a0948d64..f1ba1bc9e 100644 --- a/session/eventlog/app_event.go +++ b/session/eventlog/app_event.go @@ -196,8 +196,7 @@ func (c *appEventCollector) monitor(entryObj dock.Entry) { logger.Debugf("desktop file is link file, real path is %v", desktop) } // run dpkg to get package name - dpkg := []string{"dpkg", "-S", desktop} - cmd := exec.Command("/bin/bash", "-c", strings.Join(dpkg, " ")) + cmd := exec.Command("dpkg", "-S", desktop) logger.Debugf("dpkg command is %v", cmd) // run command to get package buf, err := cmd.Output()