Skip to content

Container: Prevent shell expansion in liblxc hook arguments#17478

Merged
tomponline merged 4 commits intocanonical:mainfrom
tomponline:tp-single-quote
Feb 3, 2026
Merged

Container: Prevent shell expansion in liblxc hook arguments#17478
tomponline merged 4 commits intocanonical:mainfrom
tomponline:tp-single-quote

Conversation

@tomponline
Copy link
Copy Markdown
Member

@tomponline tomponline commented Jan 26, 2026
edited
Loading

Based on lxc/incus#2827

Related to https://github.com/lxc/incus/security/advisories/GHSA-8h3p-58qv-8p53

From @stgraber :

The LXC driver generates an LXC config file which includes some LXC hooks.
Those get run through a shell and may therefore get expanded if special characters are allowed.

Some care was taken around that by using strconv.Quote, but this only leads to double quoted rather than single quoted strings (equivalent to "%q" in fmt.Sprintf) when for something exposed to a shell, we really want single quoted strings.

To address potential issues, this branch:

  • Introduces a new util.SingleQuote function (sadly strconv doesn't provide this directly)
  • Makes use of util.SingleQuote where strconv.Quote was previously used

This issue came out from security research work by @rmcnamara-snyk but as any exploitation of this requires full admin privileges on Incus, it didn't qualify as a security issue.

@tomponline tomponline self-assigned this Jan 26, 2026
@tomponline tomponline requested a review from Copilot January 26, 2026 09:28
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security concern related to shell expansion in LXC hook arguments by replacing double-quoted strings with single-quoted strings to prevent potential shell expansion attacks.

Changes:

  • Introduces a new SingleQuote utility function that provides single-quoting (unlike strconv.Quote which uses double-quotes)
  • Replaces all instances of strconv.Quote with shared.SingleQuote in LXC hook configurations to prevent shell expansion vulnerabilities

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
shared/util.go Adds SingleQuote function to provide single-quote string escaping for shell safety
lxd/instance/drivers/driver_lxc.go Updates all LXC hook configurations to use SingleQuote instead of strconv.Quote for project and instance names

@tomponline tomponline force-pushed the tp-single-quote branch 4 times, most recently from e27ff6d to b7852f3 Compare January 26, 2026 11:44
@tomponline tomponline requested a review from Copilot January 26, 2026 11:45
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

@tomponline tomponline force-pushed the tp-single-quote branch 3 times, most recently from c48c379 to 53bba63 Compare January 26, 2026 13:55
@tomponline tomponline force-pushed the tp-single-quote branch 2 times, most recently from 80a1a91 to a2209a2 Compare February 2, 2026 15:39
@tomponline tomponline requested a review from Copilot February 2, 2026 15:39
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

@tomponline tomponline force-pushed the tp-single-quote branch 2 times, most recently from 591930a to 0bd5457 Compare February 2, 2026 15:45
@tomponline tomponline marked this pull request as ready for review February 2, 2026 15:46
simondeziel
simondeziel previously approved these changes Feb 2, 2026
View reviewed changes
stgraber and others added 4 commits February 3, 2026 08:33
@stgraber @tomponline
shared/util: Add SingleQuote
6e6b022 
Signed-off-by: Stéphane Graber <[email protected]>
Suggested-by: Rory McNamara <[email protected]>
(cherry picked from commit a5c1c73b535fb12d2c1ccd1c6b9a933fd312dc79)
Signed-off-by: Thomas Parrott <[email protected]>
License: Apache-2.0
@tomponline
shared/util: Rework SingleQuote to ShellQuote
6433705 
Fixes it to actually single-quote.

Signed-off-by: Thomas Parrott <[email protected]>
@rmcnamara-snyk @tomponline
lxd/instance/drivers/lxc: Use ShellQuote instead of Quote
dbc1323 
This avoids potential shell expansion of the strings should some special
characters manage to make it through.

Signed-off-by: Rory McNamara <[email protected]>
(cherry picked from commit 0e0cf45ecdcc902a6f319f11971ed27df81bd29f)
Signed-off-by: Thomas Parrott <[email protected]>
License: Apache-2.0
@tomponline
lxd/instance/drivers/driver/lxc: Reduce duplicated calls to ShellQuote
24fc892 
Signed-off-by: Thomas Parrott <[email protected]>
simondeziel
simondeziel approved these changes Feb 3, 2026
View reviewed changes
@tomponline tomponline merged commit 38b564e into canonical:main Feb 3, 2026
58 of 66 checks passed
@tomponline tomponline deleted the tp-single-quote branch February 3, 2026 13:43
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 4, 2026
@tomponline
lxd: Cherry-picks
3dcce71 
Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
@tomponline tomponline mentioned this pull request Feb 4, 2026
Merged
tomponline added a commit to canonical/lxd-pkg-snap that referenced this pull request Feb 4, 2026
@tomponline
lxd: Cherry-picks (latest-candidate) (#1034)
5ba9e9e 
Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551
@tomponline tomponline mentioned this pull request Feb 6, 2026
Merged
tomponline added a commit that referenced this pull request Feb 6, 2026
@tomponline
Backports (stable-5.21) (#17577)
e806737 
Backports from:

 - #17478
 - #17549
 - #17550
 - #17551
 - #17576
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks
30445bd 
Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks
5150119 
Cherry-picks from canonical/lxd#17577

Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
@tomponline tomponline mentioned this pull request Feb 9, 2026
Merged
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks
35688ab 
Cherry-picks from canonical/lxd#17577

Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551

Signed-off-by: Thomas Parrott <[email protected]>
tomponline added a commit to canonical/lxd-pkg-snap that referenced this pull request Feb 9, 2026
@tomponline
lxd: Cherry-picks (5.21-candidate) (#1043)
183cd22 
Cherry-picks from canonical/lxd#17577

Includes fixes from:

 - canonical/lxd#17478
 - canonical/lxd#17549
 - canonical/lxd#17550
 - canonical/lxd#17551
@tomponline tomponline mentioned this pull request Feb 12, 2026
Merged
tomponline added a commit that referenced this pull request Feb 12, 2026
@tomponline
Backports (stable-5.0) (#17627)
129e478 
Backports from:

 - #17478
 - #17549
 - #17550
@tomponline tomponline mentioned this pull request Feb 12, 2026
Merged
tomponline added a commit that referenced this pull request Feb 12, 2026
@tomponline
Backports (stable-4.0) (#17631)
87e41bd 
Backports from:

 - #17478
tomponline added a commit to tomponline/lxd-pkg-snap that referenced this pull request Mar 6, 2026
@tomponline
lxd: Cherry-picks
90e9ef7 
From

 - canonical/lxd#17478
 - canonical/lxd#17703
 - canonical/lxd#17741

Signed-off-by: Thomas Parrott <[email protected]>
@tomponline tomponline mentioned this pull request Mar 6, 2026
Merged
tomponline added a commit to canonical/lxd-pkg-snap that referenced this pull request Mar 6, 2026
@tomponline
lxd: Cherry-picks (4.0-candidate) (#1101)
d51586e 
From

 - canonical/lxd#17478
 - canonical/lxd#17703
 - canonical/lxd#17741
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@simondeziel simondeziel simondeziel approved these changes

@markylaing markylaing Awaiting requested review from markylaing

@MusicDin MusicDin Awaiting requested review from MusicDin

@sudhackar sudhackar Awaiting requested review from sudhackar

Assignees

@tomponline tomponline

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tomponline @simondeziel @stgraber @rmcnamara-snyk