From 3bed7bad1187c5f9d44ba7e27cfd1b7babef5566 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Sun, 15 Sep 2024 18:33:52 +0200
Subject: [PATCH] Anchoring

For better security out of the box, always perform exact matching unless
a more lenient pattern is explicitly provided by the administrator.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 authorized-exec.pl   | 2 +-
 authorized-exec.spec | 2 +-
 config.example.pl    | 9 +++++----
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/authorized-exec.pl b/authorized-exec.pl
index 0cf71b0..5f8d6b8 100755
--- a/authorized-exec.pl
+++ b/authorized-exec.pl
@@ -40,7 +40,7 @@ if ($ssh_cmd) {
 	exit 1
 }
 
-my %cmds = map { qr{$_} => 1 } @{$config{$user}};
+my %cmds = map { qr/^$_$/ => 1 } @{$config{$user}};
 
 if ( any { $cmd =~ $_ } keys %cmds ) {
 	exec $cmd;
diff --git a/authorized-exec.spec b/authorized-exec.spec
index dd5379d..d6de872 100644
--- a/authorized-exec.spec
+++ b/authorized-exec.spec
@@ -18,7 +18,7 @@
 
 
 Name:           authorized-exec
-Version:        1.0
+Version:        1.1
 Release:        0
 Summary:        Health check
 License:        EUPL-1.2
diff --git a/config.example.pl b/config.example.pl
index 3beed16..ea6396c 100644
--- a/config.example.pl
+++ b/config.example.pl
@@ -1,10 +1,11 @@
+# the patterns are read as regular expressions and anchored with ^ and $ by default
 (
 	'georg' => [
-		'^echo hi$',
-		'^true$',
-		'^printf %s [a-z0-9 ]+$',
+		'echo hi',
+		'true',
+		'printf %s [a-z0-9 ]+',
 	],
 	'root' => [
-		'^ls -a /root$',
+		'ls -a /root',
 	],
 )