TASK-010: Replace .split() with shlex.split() for fail2ban_start_command

- Add @field_validator for fail2ban_start_command to validate with shlex.split() at startup, catching misconfigured commands with mismatched quotes - Replace .split() with shlex.split() in jail_config.py line 450 - Replace .split() with shlex.split() in config_misc.py line 154 - Update Backend-Development.md with configuration documentation explaining quoted path handling and common pitfalls - Add comprehensive test suite (8 tests) covering valid commands, quoted paths, and mismatched quote errors This fix ensures commands like '/opt/my tools/fail2ban-client' start are correctly parsed as two tokens instead of three, preventing execution failures when the path contains spaces. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 13:04:14 +02:00
parent 4ab767e3d4
commit 8698b89f6a
6 changed files with 160 additions and 38 deletions
--- a/Docs/Backend-Development.md
+++ b/Docs/Backend-Development.md
@@ -522,6 +522,28 @@ environment:

 **Important:** If `Secure=true` is set, browsers will reject the session cookie when the backend is served over HTTP. Ensure your nginx/reverse proxy terminates TLS and passes `X-Forwarded-Proto: https` so FastAPI knows the connection is secure.

+### fail2ban_start_command Configuration
+
+The `fail2ban_start_command` setting specifies the shell command used to start the fail2ban daemon during recovery operations (e.g., after a rollback).
+
+**Format & Parsing:**
+- The command is split into arguments using `shlex.split()`, which respects shell quoting rules.
+- Paths with spaces must be quoted. Example: `"/opt/my tools/fail2ban-client" start`.
+- The command is **not** executed through a shell — no shell variables or globbing are interpreted.
+
+**Validation:**
+- The command is validated at startup using `shlex.split()`. Mismatched quotes will raise a `ValueError` with the problematic command in the error message.
+
+**Environment Variables:**
+```bash
+BANGUI_FAIL2BAN_START_COMMAND="fail2ban-client start"           # Default
+BANGUI_FAIL2BAN_START_COMMAND="systemctl start fail2ban"        # systemd
+BANGUI_FAIL2BAN_START_COMMAND='"/opt/my tools/fail2ban" start'  # Quoted path
+```
+
+**Common Pitfall:**
+Using `.split()` instead of `shlex.split()` would break commands with spaces in paths. Always use quoted strings for paths that contain whitespace.
+
 ### Login Rate Limiting

 The login endpoint (`POST /api/auth/login`) is protected against brute-force attacks using an in-memory rate limiter.
--- a/Docs/Tasks.md
+++ b/Docs/Tasks.md
@@ -1,39 +1,3 @@
-## TASK-009 — Blocklist URL has no scheme/host validation — SSRF risk
-
-**Severity:** High
-
-### Where found
-`backend/app/models/blocklist.py` — `BlocklistSourceCreate.url: str = Field(..., min_length=1)`. `backend/app/services/blocklist_service.py` — `preview_source()` and `_download_text_with_retries()`.
-
-### Why this is needed
-An authenticated user can supply `file:///etc/passwd`, `http://169.254.169.254/latest/meta-data/` (AWS metadata service), `http://10.0.0.1/admin`, or `http://localhost:8000/api/setup` as a blocklist URL. The backend fetches it and either returns its contents in the preview response or attempts to parse it as an IP list. This is a Server-Side Request Forgery (SSRF) vulnerability.
-
-### Goal
-Restrict blocklist URLs to safe, public HTTP/HTTPS endpoints only.
-
-### What to do
-1. Change `url: str` to `url: AnyHttpUrl` in `BlocklistSourceCreate` — this rejects `file://`, `ftp://`, and other non-http schemes.
-2. Add a `@field_validator("url")` that:
-   - Parses the hostname.
-   - Resolves it via `socket.getaddrinfo()` (or uses `ipaddress.ip_address()` if it is a bare IP).
-   - Rejects RFC 1918 private ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`), loopback (`127.0.0.0/8`), link-local (`169.254.0.0/16`), and IPv6 equivalents.
-3. Add a validator for `http://` URLs — consider requiring `https://` only, or adding a configuration flag.
-
-### Possible traps and issues
- DNS rebinding: the hostname resolves to a public IP at validation time but to a private IP at fetch time. Mitigate by re-validating the final connection IP in aiohttp (custom `TCPConnector` or response callback).
- `AnyHttpUrl` allows ports — ensure `http://evil.com:22/` is also blocked or at least safe.
- `socket.getaddrinfo()` is blocking — use `asyncio.get_event_loop().getaddrinfo()` or run in executor.
-
-### Docs changes needed
- `Features.md` — document URL validation constraints for blocklist sources.
- `Backend-Development.md` — SSRF prevention pattern.
-
-### Doc references
- [Features.md](Features.md) — blocklist management
- [Backend-Development.md](Backend-Development.md) — input validation
-
---
-
 ## TASK-010 — `fail2ban_start_command` split with `.split()` instead of `shlex.split()`

 **Severity:** Low
--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -4,6 +4,7 @@ Follows pydantic-settings patterns: all values are prefixed with BANGUI_
 and validated at startup via the Settings singleton.
 """

+import shlex
 from typing import Literal

 from pydantic import Field, field_validator
@@ -151,6 +152,32 @@ class Settings(BaseSettings):
        ),
    )

+    @field_validator("fail2ban_start_command", mode="after")
+    @classmethod
+    def _validate_fail2ban_start_command(cls, value: str) -> str:
+        """Validate fail2ban_start_command by attempting to parse it with shlex.
+
+        Ensures the command can be split into arguments without shell interpretation.
+        Raises ValueError if the command contains mismatched quotes.
+
+        Args:
+            value: The fail2ban start command string.
+
+        Returns:
+            The validated command string.
+
+        Raises:
+            ValueError: If the command contains mismatched quotes.
+        """
+        try:
+            shlex.split(value)
+        except ValueError as e:
+            raise ValueError(
+                f"fail2ban_start_command contains mismatched quotes or is otherwise "
+                f"unparseable: {value!r} — {e}"
+            ) from e
+        return value
+
    model_config = SettingsConfigDict(
        env_prefix="BANGUI_",
        env_file=".env",
--- a/backend/app/routers/config_misc.py
+++ b/backend/app/routers/config_misc.py
@@ -1,5 +1,6 @@
 from __future__ import annotations

+import shlex
 from typing import Annotated

 import structlog
@@ -149,7 +150,7 @@ async def restart_fail2ban(
            ``POST /api/config/jails/{name}/rollback``
            if a specific jail is suspect.
    """
-    start_cmd_parts: list[str] = start_cmd.split()
+    start_cmd_parts: list[str] = shlex.split(start_cmd)

    restarted = await jail_service.restart_daemon(
        socket_path,
--- a/backend/app/routers/jail_config.py
+++ b/backend/app/routers/jail_config.py
@@ -1,5 +1,6 @@
 from __future__ import annotations

+import shlex
 from typing import Annotated

 from fastapi import APIRouter, Path, Query, Request, status
@@ -445,7 +446,7 @@ async def rollback_jail(
        HTTPException: 400 if *name* contains invalid characters.
        HTTPException: 500 if writing the .local override file fails.
    """
-    start_cmd_parts: list[str] = start_cmd.split()
+    start_cmd_parts: list[str] = shlex.split(start_cmd)

    result = await jail_config_service.rollback_jail(config_dir, socket_path, name, start_cmd_parts)

--- a/backend/tests/test_config.py
+++ b/backend/tests/test_config.py
@@ -0,0 +1,107 @@
+"""Unit tests for application configuration and validation."""
+
+import pytest
+from pydantic import ValidationError
+
+from app.config import Settings
+
+
+def test_fail2ban_start_command_validates_simple_command() -> None:
+    """Simple fail2ban commands without special characters are accepted."""
+    settings = Settings(
+        database_path="/tmp/test.db",
+        fail2ban_socket="/tmp/fake_fail2ban.sock",
+        fail2ban_config_dir="/tmp/fail2ban",
+        session_secret="test-secret-key-do-not-use-in-production",
+        fail2ban_start_command="fail2ban-client start",
+    )
+    assert settings.fail2ban_start_command == "fail2ban-client start"
+
+
+def test_fail2ban_start_command_validates_systemctl_command() -> None:
+    """systemctl commands are accepted."""
+    settings = Settings(
+        database_path="/tmp/test.db",
+        fail2ban_socket="/tmp/fake_fail2ban.sock",
+        fail2ban_config_dir="/tmp/fail2ban",
+        session_secret="test-secret-key-do-not-use-in-production",
+        fail2ban_start_command="systemctl start fail2ban",
+    )
+    assert settings.fail2ban_start_command == "systemctl start fail2ban"
+
+
+def test_fail2ban_start_command_accepts_quoted_paths() -> None:
+    """Commands with quoted paths containing spaces are accepted."""
+    settings = Settings(
+        database_path="/tmp/test.db",
+        fail2ban_socket="/tmp/fake_fail2ban.sock",
+        fail2ban_config_dir="/tmp/fail2ban",
+        session_secret="test-secret-key-do-not-use-in-production",
+        fail2ban_start_command='"/opt/my tools/fail2ban-client" start',
+    )
+    assert settings.fail2ban_start_command == '"/opt/my tools/fail2ban-client" start'
+
+
+def test_fail2ban_start_command_rejects_mismatched_quotes() -> None:
+    """Commands with mismatched quotes raise ValidationError."""
+    with pytest.raises(ValidationError) as exc_info:
+        Settings(
+            database_path="/tmp/test.db",
+            fail2ban_socket="/tmp/fake_fail2ban.sock",
+            fail2ban_config_dir="/tmp/fail2ban",
+            session_secret="test-secret-key-do-not-use-in-production",
+            fail2ban_start_command='"/opt/my tools/fail2ban-client start',
+        )
+    error_msg = str(exc_info.value)
+    assert "fail2ban_start_command" in error_msg
+    assert "mismatched quotes" in error_msg or "No closing quotation" in error_msg
+
+
+def test_fail2ban_start_command_error_includes_problematic_value() -> None:
+    """Validation errors include the problematic command value."""
+    problematic_command = '"/opt/broken start'
+    with pytest.raises(ValidationError) as exc_info:
+        Settings(
+            database_path="/tmp/test.db",
+            fail2ban_socket="/tmp/fake_fail2ban.sock",
+            fail2ban_config_dir="/tmp/fail2ban",
+            session_secret="test-secret-key-do-not-use-in-production",
+            fail2ban_start_command=problematic_command,
+        )
+    error_msg = str(exc_info.value)
+    assert problematic_command in error_msg
+
+
+def test_fail2ban_start_command_default_value_is_valid() -> None:
+    """The default fail2ban_start_command value is valid and parseable."""
+    settings = Settings(
+        database_path="/tmp/test.db",
+        fail2ban_socket="/tmp/fake_fail2ban.sock",
+        fail2ban_config_dir="/tmp/fail2ban",
+        session_secret="test-secret-key-do-not-use-in-production",
+    )
+    assert settings.fail2ban_start_command == "fail2ban-client start"
+
+
+def test_fail2ban_start_command_single_quoted() -> None:
+    """Commands with single quotes are accepted."""
+    settings = Settings(
+        database_path="/tmp/test.db",
+        fail2ban_socket="/tmp/fake_fail2ban.sock",
+        fail2ban_config_dir="/tmp/fail2ban",
+        session_secret="test-secret-key-do-not-use-in-production",
+        fail2ban_start_command="'/usr/bin/fail2ban-client' start",
+    )
+    assert settings.fail2ban_start_command == "'/usr/bin/fail2ban-client' start"
+
+
+def test_fail2ban_start_command_multiple_arguments() -> None:
+    """Commands with multiple arguments are accepted."""
+    settings = Settings(
+        database_path="/tmp/test.db",
+        fail2ban_socket="/tmp/fake_fail2ban.sock",
+        fail2ban_config_dir="/tmp/fail2ban",
+        session_secret="test-secret-key-do-not-use-in-production",
+        fail2ban_start_command="fail2ban-client -c /etc/fail2ban start",
+    )
+    assert settings.fail2ban_start_command == "fail2ban-client -c /etc/fail2ban start"