Prevent directory traversal vulnerability in bash script

How can I prevent directory traversal attacks in a bash script, where arguments contain directory names?

Example:

$  STAGE=$  1 $  APP=$  2 deploy.sh dist/ /opt/apps/"$  STAGE"/"$  APP" 

The $ STAGE and $ APP variables are set from outside. An attacker could change this to an arbitrary path with "..".

I know the usual solution is to compare the directory string with the result of a function that returns the absolute path. But I couldn’t find a ready solution and don’t want to come up with my own.

Is running bash script that is taking arguments from site dialog box a good idea?

I’m building a site that will use youtubeAPI to keep track of playlist changes. In order for 3rd party to use it I would supply a dialog box in which user would type his/hers playlistID – this would be read and then put as an argument into bash script that in turn runs curl/python scripts to connect with API (ran on my machine) and another bash script that would mkdirs on my disk.

Does this potentially endanger me/my files somehow ? Can someone input some magic command that would do “rm * -f” or similar malicious endeavor ? Should I use some external server instead of my machine ?

I know nothing about security, Ive read few topics here but didnt find similar problem.

Is this bash command vulnerable to code injection?

I’m wondering if the following code is vulnerable to command injection in bash :

sumo /bin/netflash -Uk $  CONTROLED_OPTION 2>&1 

I’m thinking since it’s not included in ” ” it should be vulnerable but I’m not sure since I can’t make the command injection work, I tried $ () `` | && ||  but nothing is working.

or do I need the command to be inside a eval to be vulnerable ?

Thanks

For creating tools, Bash, Perl or Python? Which should I invest my time in to?

Having trouble choosing between the three, I would of course love to learn all three in the future, but right now I’m curious as to which language would be the most beneficial to me.

Also, I’m aware that different tools might be more useful in certain scenarios, in this case, I just want to learn the language that suits best for creating Ethical hacking tools, and which language would be the easiest to master?

Error while running shell script inside ubuntu VM: -bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory

I have 3 shell script files placed inside vagrant directory like so: files placement screenshot

This is the install.sh file:

#!/bin/bash  echo "Launching instances with the following parameters:" echo "" echo "Machine Image ID: $  1" echo "Number of Instances: $  2" echo "Instance Type: $  3" echo "Key Pair Name: $  4" echo "Security Group ID: $  5"  aws ec2 run-instances --image-id $  1 --count $  2 --instance-type $  3 --key-name $  4 --user-data file://install-env.sh --security-group-ids $  5 

This is the install-env.sh file:

#!/bin/bash  sudo apt-get -y update sudo apt-get -y install apache2 php php-gd mysql-server  sudo systemctl enable apache2 sudo systemctl start apache2  

I have another destroy.sh file but it’s not related to this error as of now. This is the command I am trying to execute after I ssh into ubuntu VM (I replaced the ami & sg numbers with * for posting it here):

vagrant@ubuntu-bionic:/vagrant$   ./install.sh ami-*************** 1 t2.micro key-name sg-************** 

This is the error that I am getting:

-bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory 

The same command works fine if I have those shell script inside home directory, (which I am not able to see on the UI) and I run the command without navigating to vagrant directory like so:

vagrant@ubuntu-bionic:$   ./install.sh ami-********** 1 t2.micro key-name sg-************** 

Why does it not work if I place the files inside vagrant directory? I want to place it here so that I can make changes in one place and push/pull to/from github, instead of having to copy-paste my changes and then push to github everytime.

Please guide me through the placement of shell script files and the directory navigation on cmd prompt.

Error while running shell script inside ubuntu VM: -bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory

I have 3 shell script files placed inside vagrant directory like so: files placement screenshot

This is the install.sh file:

#!/bin/bash  echo "Launching instances with the following parameters:" echo "" echo "Machine Image ID: $  1" echo "Number of Instances: $  2" echo "Instance Type: $  3" echo "Key Pair Name: $  4" echo "Security Group ID: $  5"  aws ec2 run-instances --image-id $  1 --count $  2 --instance-type $  3 --key-name $  4 --user-data file://install-env.sh --security-group-ids $  5 

This is the install-env.sh file:

#!/bin/bash  sudo apt-get -y update sudo apt-get -y install apache2 php php-gd mysql-server  sudo systemctl enable apache2 sudo systemctl start apache2  

I have another destroy.sh file but it’s not related to this error as of now. This is the command I am trying to execute after I ssh into ubuntu VM (I replaced the ami & sg numbers with * for posting it here):

vagrant@ubuntu-bionic:/vagrant$   ./install.sh ami-*************** 1 t2.micro key-name sg-************** 

This is the error that I am getting:

-bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory 

The same command works fine if I have those shell script inside home directory, (which I am not able to see on the UI) and I run the command without navigating to vagrant directory like so:

vagrant@ubuntu-bionic:$   ./install.sh ami-********** 1 t2.micro key-name sg-************** 

Why does it not work if I place the files inside vagrant directory? I want to place it here so that I can make changes in one place and push/pull to/from github, instead of having to copy-paste my changes and then push to github everytime.

Please guide me through the placement of shell script files and the directory navigation on cmd prompt.

Error while running shell script inside ubuntu VM: -bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory

I have 3 shell script files placed inside vagrant directory like so: files placement screenshot

This is the install.sh file:

#!/bin/bash  echo "Launching instances with the following parameters:" echo "" echo "Machine Image ID: $  1" echo "Number of Instances: $  2" echo "Instance Type: $  3" echo "Key Pair Name: $  4" echo "Security Group ID: $  5"  aws ec2 run-instances --image-id $  1 --count $  2 --instance-type $  3 --key-name $  4 --user-data file://install-env.sh --security-group-ids $  5 

This is the install-env.sh file:

#!/bin/bash  sudo apt-get -y update sudo apt-get -y install apache2 php php-gd mysql-server  sudo systemctl enable apache2 sudo systemctl start apache2  

I have another destroy.sh file but it’s not related to this error as of now. This is the command I am trying to execute after I ssh into ubuntu VM (I replaced the ami & sg numbers with * for posting it here):

vagrant@ubuntu-bionic:/vagrant$   ./install.sh ami-*************** 1 t2.micro key-name sg-************** 

This is the error that I am getting:

-bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory 

The same command works fine if I have those shell script inside home directory, (which I am not able to see on the UI) and I run the command without navigating to vagrant directory like so:

vagrant@ubuntu-bionic:$   ./install.sh ami-********** 1 t2.micro key-name sg-************** 

Why does it not work if I place the files inside vagrant directory? I want to place it here so that I can make changes in one place and push/pull to/from github, instead of having to copy-paste my changes and then push to github everytime.

Please guide me through the placement of shell script files and the directory navigation on cmd prompt.

Error while running shell script inside ubuntu VM: -bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory

I have 3 shell script files placed inside vagrant directory like so: files placement screenshot

This is the install.sh file:

#!/bin/bash  echo "Launching instances with the following parameters:" echo "" echo "Machine Image ID: $  1" echo "Number of Instances: $  2" echo "Instance Type: $  3" echo "Key Pair Name: $  4" echo "Security Group ID: $  5"  aws ec2 run-instances --image-id $  1 --count $  2 --instance-type $  3 --key-name $  4 --user-data file://install-env.sh --security-group-ids $  5 

This is the install-env.sh file:

#!/bin/bash  sudo apt-get -y update sudo apt-get -y install apache2 php php-gd mysql-server  sudo systemctl enable apache2 sudo systemctl start apache2  

I have another destroy.sh file but it’s not related to this error as of now. This is the command I am trying to execute after I ssh into ubuntu VM (I replaced the ami & sg numbers with * for posting it here):

vagrant@ubuntu-bionic:/vagrant$   ./install.sh ami-*************** 1 t2.micro key-name sg-************** 

This is the error that I am getting:

-bash: ./install.sh: /bin/bash^M: bad interpreter: No such file or directory 

The same command works fine if I have those shell script inside home directory, (which I am not able to see on the UI) and I run the command without navigating to vagrant directory like so:

vagrant@ubuntu-bionic:$   ./install.sh ami-********** 1 t2.micro key-name sg-************** 

Why does it not work if I place the files inside vagrant directory? I want to place it here so that I can make changes in one place and push/pull to/from github, instead of having to copy-paste my changes and then push to github everytime.

Please guide me through the placement of shell script files and the directory navigation on cmd prompt.