# Remediation Guide: CVE-2026-35585

This document outlines the steps required to mitigate and permanently fix the OS Command Injection vulnerability in File Browser.

## 1. Immediate Action (For Users/Admins)

If you are running an affected version of File Browser (**v2.0.0 to v2.33.1**), please take one of the following actions immediately:

### A. Update to the Latest Version
The most effective solution is to update your File Browser instance to **v2.33.8 or later**.
In the patched versions, the maintainers have:
- Disabled custom command hooks by default.
- Improved the way environment variables are handled during hook execution.

### B. Temporary Workaround (If update is not possible)
1. **Disable Hooks:** Clear all commands in the **Global Settings > Commands** (Hooks) section.
2. **Restrict Privileges:** Ensure that only trusted users have "Upload", "Rename", or "Create" permissions.
3. **Shell Configuration:** Remove any shell configuration (e.g., `sh -c`) from the Global Settings to prevent shell-level command chaining.

---

## 2. Technical Solution (For Developers)

The root cause of this vulnerability is the use of `os.Expand` to perform string substitution inside a command string that is eventually executed by a shell.

### The Vulnerable Pattern
Using plain string replacement allows shell metacharacters (`;`, `&`, `|`, etc.) to be interpreted as command separators.

```go
// VULNERABLE
command[i] = os.Expand(arg, envMapping) 
// Result: sh -c "echo Uploaded ; id #"
```

### The Recommended Fixes

#### Fix 1: Avoid Shell Execution (Preferred)
Instead of executing commands through a shell (e.g., `sh -c "cmd $VAR"`), execute the binary directly and pass arguments as a discrete slice. This prevents the shell from ever interpreting the content of the variables.

```go
// SECURE: Direct execution
// Instead of: []string{"sh", "-c", "echo Uploaded $FILE"}
// Use: []string{"echo", "Uploaded", path}

cmd := exec.Command(command[0], command[1:]...)
```

#### Fix 2: Proper Shell Quoting/Escaping
If shell execution is strictly required, every variable expanded via `os.Expand` must be escaped for the specific shell being used.

```go
import "github.com/kballard/go-shellquote"

// SECURE: Escaping before substitution
envMapping := func(key string) string {
    if key == "FILE" {
        return shellquote.Join(path) // Wraps in quotes and escapes internal quotes
    }
    // ...
}
```

#### Fix 3: Input Validation (Defense-in-Depth)
Implement a strict allow-list or deny-list for filenames. Reject any file upload or rename request where the filename contains:
- `;`, `&`, `|`, `$`, `` ` ``, `(`, `)`, `>`, `<`, `\n`, `\r`

---

## 3. Verification after Fix
After applying the fix or updating, verify the mitigation by running the PoC script:

```bash
python3 exploit.py -t http://localhost:8080 -c "touch /tmp/verify_fix"
```

**Expected Result:**
The server should either:
- Reject the upload due to an invalid filename.
- Upload the file safely without executing the `touch` command.

---

## References
- [CWE-78: Improper Neutralization of Special Elements used in an OS Command](https://cwe.mitre.org/data/definitions/78.html)
- [CWE-88: Improper Neutralization of Argument Delimiters in a Command](https://cwe.mitre.org/data/definitions/88.html)