From 043fbaef0b5d129790d556c5872566fdfc675d75 Mon Sep 17 00:00:00 2001
From: fatalerrors <geoffray.levasseur@prestataires.agriculture.gouv.fr>
Date: Wed, 25 Mar 2026 14:35:53 +0100
Subject: [PATCH] protect against code injection, interpret vars

---
 profile.sh | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/profile.sh b/profile.sh
index aa4d76d..f305490 100644
--- a/profile.sh
+++ b/profile.sh
@@ -113,6 +113,15 @@ parse_conf()
             value="${value#"${value%%[![:space:]]*}"}"
             value="${value%$'\r'}"
 
+            # Protect against command injection by disallowing certain characters in keys
+            value="${value//\`/}"
+            value="${value//\$\(/}"
+
+            # Correctly interpretet internal variables (e.g. $HOME)
+            if [[ "$value" == *\$* ]]; then
+                value=$(envsubst <<< "$value")
+            fi
+
             # Strip quotes (handling both " and ')
             value="${value%\"}"; value="${value#\"}"
             value="${value%\'}"; value="${value#\'}"
@@ -122,7 +131,8 @@ parse_conf()
             current_array["$key"]="$value"
         fi
     done < "$config_file"
-}# ------------------------------------------------------------------------------
+}
+# ------------------------------------------------------------------------------
 
 
 # ------------------------------------------------------------------------------