Merge pull request #200 from EngineScript/copilot/fix-suffix-length-validation

PDowney · web-flow · commit 3f30c1f47c63 · 2026-04-12T05:05:49.000-04:00
fix: harden vhost database credential generation and eliminate duplicate validation
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,15 @@ Changes are organized by date, with the most recent changes listed first.
 
 ## 2026-04-12
 
+### 🔒 VHOST INSTALL DATABASE CREDENTIAL VALIDATION IMPROVEMENTS
+
+- Added domain hash (`sha256sum`, first 8 hex chars) to `db_name_suffix` in `vhost-install.sh` to prevent silent database name collisions when long domain names are truncated to fit MariaDB's 64-character identifier limit. Added explicit regex validation of the hash output (`^[0-9a-f]{8}$`) to catch pipeline failures with a clear error message.
+- Replaced the overly-broad suffix length guard (`>= 64`) with an exact-length check (`!= 14`) that precisely validates the expected suffix format: `_<8-char-hash>_<RAND_CHAR4>`.
+- Added backtick rejection to `validate_db_identifier()` as defense-in-depth against SQL injection via backtick-quoted identifiers, guarding against future regex changes.
+- Tightened `database_user` validation regex from `^[A-Za-z0-9_]+$` to `^[A-Za-z0-9]+$` to accurately reflect the `RAND_CHAR16` source charset (`a-zA-Z0-9`, no underscores).
+- Removed redundant single-quote and backslash sub-checks from `database_password` validation; these are already excluded by the `^[A-Za-z0-9_]+$` regex and were unnecessarily duplicated.
+- Removed duplicate post-`source` validations of `${DB}` and `${PSWD}`; both values are fully validated pre-write before the credentials file is created, eliminating double validation.
+
 ### 🐛 VHOST INSTALL SHELL CORRECTNESS & SECURITY FIXES
 
 - Removed invalid `local` keyword from `create_db_sql` declaration in `scripts/functions/vhost/vhost-install.sh`; `local` has no effect outside a function and was misleading.
diff --git a/scripts/functions/vhost/vhost-install.sh b/scripts/functions/vhost/vhost-install.sh
@@ -46,7 +46,8 @@ MULTIPART_PUBLIC_SUFFIXES=(
 validate_db_identifier() {
   local db_identifier="$1"
   local domain_context="$2"
-  if [[ -z "${db_identifier}" || ! "${db_identifier}" =~ ^[A-Za-z][A-Za-z0-9_]*$ ]]; then
+  # Explicitly reject backticks as defense-in-depth for backtick-quoted SQL identifiers.
+  if [[ -z "${db_identifier}" || ! "${db_identifier}" =~ ^[A-Za-z][A-Za-z0-9_]*$ || "${db_identifier}" == *'`'* ]]; then
     echo "Error: Invalid database name '${db_identifier}' for domain '${domain_context}'." >&2
     exit 1
   fi
@@ -224,10 +225,18 @@ if [[ "${INSTALL_WORDPRESS}" == "1" ]]; then
   # RAND_CHAR4, RAND_CHAR16, and RAND_CHAR32 are random strings (length 4/16/32)
   # sourced from /usr/local/bin/enginescript/enginescript-variables.txt.
   # Enforce MySQL/MariaDB identifier max length (64 chars) before concatenation.
-  db_name_suffix="_${RAND_CHAR4}"
+  # Include a stable hash of the full domain to avoid collisions when truncation occurs.
+  domain_hash="$(printf '%s' "${DOMAIN}" | sha256sum | awk '{print $1}' | cut -c1-8)"
+  if [[ ! "${domain_hash}" =~ ^[0-9a-f]{8}$ ]]; then
+    echo "Error: Failed to generate domain hash for database name suffix (got '${domain_hash}')." >&2
+    exit 1
+  fi
+  db_name_suffix="_${domain_hash}_${RAND_CHAR4}"
   max_db_name_len=64
-  if (( ${#db_name_suffix} >= max_db_name_len )); then
-    echo "Error: Invalid random suffix length for database name generation." >&2
+  # Expected: '_' (1) + domain_hash (8) + '_' (1) + RAND_CHAR4 (4) = 14 chars.
+  expected_db_name_suffix_len=14
+  if (( ${#db_name_suffix} != expected_db_name_suffix_len )); then
+    echo "Error: Invalid random suffix length for database name generation (expected ${expected_db_name_suffix_len}, got ${#db_name_suffix})." >&2
     exit 1
   fi
   max_domain_without_tld_len=$((max_db_name_len - ${#db_name_suffix}))
@@ -245,13 +254,14 @@ if [[ "${INSTALL_WORDPRESS}" == "1" ]]; then
   credentials_dir="/home/EngineScript/mysql-credentials"
   credentials_file="${credentials_dir}/${DOMAIN}.txt"
   # Ensure parent directory exists and is restricted before writing sensitive data
-  # Validate generated credentials before writing any sensitive data to disk
-  if [[ -z "${database_user}" || ${#database_user} -lt 8 || ${#database_user} -gt 80 || ! "${database_user}" =~ ^[A-Za-z0-9_]+$ ]]; then
-    echo "Error: Invalid generated MariaDB user '${database_user}' for domain '${DOMAIN}' (must be 8-80 characters and contain only letters, numbers, or underscores)." >&2
+  # Validate generated credentials before writing any sensitive data to disk.
+  # RAND_CHAR16 uses a-zA-Z0-9 only; regex matches that exact charset.
+  if [[ -z "${database_user}" || ${#database_user} -lt 8 || ${#database_user} -gt 80 || ! "${database_user}" =~ ^[A-Za-z0-9]+$ ]]; then
+    echo "Error: Invalid generated MariaDB user '${database_user}' for domain '${DOMAIN}' (must be 8-80 characters and contain only letters or numbers)." >&2
     exit 1
   fi
   
-  if [[ -z "${database_password}" || ! "${database_password}" =~ ^[A-Za-z0-9_]+$ || "${database_password}" == *"'"* || "${database_password}" == *"\\"* ]]; then
+  if [[ -z "${database_password}" || ! "${database_password}" =~ ^[A-Za-z0-9_]+$ ]]; then
     echo "Error: Invalid generated database password for domain '${DOMAIN}'." >&2
     exit 1
   fi
@@ -267,20 +277,6 @@ if [[ "${INSTALL_WORDPRESS}" == "1" ]]; then
 
   source "${credentials_file}"
 
-  # Validate DB identifier before interpolating into SQL
-  if [[ -z "${DB}" || ! "${DB}" =~ ^[A-Za-z][A-Za-z0-9_]*$ ]]; then
-    echo "Error: Invalid database name '${DB}' for domain '${DOMAIN}'." >&2
-    exit 1
-  fi
-
-  # Validate DB password before interpolating into SQL single-quoted string.
-  # Allow printable ASCII generally, but reject characters that would break
-  # single-quoted SQL interpolation without escaping (' and \).
-  if [[ -z "${PSWD}" || ! "${PSWD}" =~ ^[[:print:]]+$ || "${PSWD}" == *"'"* || "${PSWD}" == *"\\"* ]]; then
-    echo "Error: Invalid database password for domain '${DOMAIN}'." >&2
-    exit 1
-  fi
-
   echo "Randomly generated MySQL database credentials for ${DOMAIN}."
 
   printf -v create_db_sql "CREATE DATABASE \`%s\` CHARACTER SET utf8mb4 COLLATE utf8mb4_uca1400_ai_ci;" "${DB}"
