CISS.debian.live.builder/lib/lib_sanitizer.sh

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

guard_sourcing

#######################################
# Argument Check Wrapper
# Arguments:
#   $1: "$@" of ./ciss_live_builder.sh
#######################################
arg_check() {
  declare a
  declare sanitized_args=()
  for a in "$@"; do
    sanitized_args+=("$( sanitize_arg "${a}")")
  done
  set -- "${sanitized_args[@]}"
}

#######################################
# Function to sanitize a single argument
# Globals:
#   ERR_INVLD_CHAR
#   LOG_ERROR
# Arguments:
#   $1: Argument to check
#######################################
sanitize_arg() {
  declare input="${1}"
  declare disallowed_ctrl=""
  ### Step 1: Check for control characters
  if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then
    disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
      | while read -r c; do printf "%02X " "'$c"; done)
    {
      printf "❌ Control character   : '%s'. \n" "${disallowed_ctrl}"
      printf "❌         in argument : '%s'. \n" "${input}"
      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
      printf "\n"
    } >> "${LOG_ERROR}"
    boot_screen_cleaner
    printf "\e[91m❌ Control character   : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
    exit "${ERR_INVLD_CHAR}"
  fi

  ### Step 2: Define allowed characters:
  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
  declare disallowed
  disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")
  if [[ -n ${disallowed} ]]; then
    {
      printf "❌ Invalid character   : '%s'. \n" "${disallowed//?/& }"
      printf "❌         in argument : '%s'. \n" "${input}"
      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
      printf "\n"
    } >> "${LOG_ERROR}"
    boot_screen_cleaner
    printf "\e[91m❌ Invalid character   : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
    exit "${ERR_INVLD_CHAR}"
  else
    printf '%s' "${input}"
  fi
}

#######################################
# Function to remove any character not in the allowed set
# Arguments:
#   $1: String to Sanitize
#######################################
sanitize_string() {
  declare input="$1"
  ### Define allowed characters:
  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
  printf '%s' "${input}" | tr -cd "${allowed}"
}

#######################################
# Function to escape all shell metacharacters
# Arguments:
#   $1: String to Sanitize
#######################################
sanitize_shell_literal() {
  declare input="$1"
  ### %q quotes the string so that the shell re-reads it as the original literal
  printf '%q' "${input}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh