Skip to content

[Infrastructure] Shell scripts: no error handling in install.sh, unvalidated input, unsafe sed #417

Open
Open
[Infrastructure] Shell scripts: no error handling in install.sh, unvalidated input, unsafe sed#417
Labels
P1-highStability & reliabilityaudit-2026-03From March 2026 codebase auditreliabilityReliability or availability concernservice:infrastructure5stackgg/5stack-panel infrastructure
@Flegma

Description

@Flegma
Flegma
opened on Mar 26, 2026

Summary

Shell scripts lack error handling and input validation.

Findings

  • install.sh — no set -e, no error checking. Commands continue on failure.
  • setup-env.sh — domain names from read with no format validation. Used in sed.
  • replace_rand32_in_env_files.sh — random string can contain sed special chars. No escaping.

Impact

Partial installations in broken state. Invalid domains or malformed .env files.

Suggested Fix

Add set -euo pipefail and trap to all scripts. Validate domain input. Escape sed values or use envsubst.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1-highStability & reliabilityaudit-2026-03From March 2026 codebase auditreliabilityReliability or availability concernservice:infrastructure5stackgg/5stack-panel infrastructure

    Type

    No type

    Projects

    5stack - Roadmap

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions