Use shlex.quote for remote_cmd in build_ssh_command

Matches the pattern already used in monitor.py's _ssh_batch(); prevents quoting breakage if shlex.quote(iface) emits single-quoted tokens inside the remote command string. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: escape ticket_id text content in dynamic events table
2026-05-11 23:17:11 -04:00 · 2026-05-11 23:02:09 -04:00
2 changed files with 2 additions and 2 deletions
@@ -78,7 +78,7 @@ class DiagnosticsRunner:
            f'ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=5 '
            f'-o BatchMode=yes -o LogLevel=ERROR '
            f'-o ServerAliveInterval=10 -o ServerAliveCountMax=2 '
-            f'root@{ip_q} \'{remote_cmd}\''
+            f'root@{ip_q} {shlex.quote(remote_cmd)}'
        )

    # ------------------------------------------------------------------
@@ -220,7 +220,7 @@ function updateEventsTable(events, totalActive) {
      ? GANDALF_CONFIG.ticket_web_url : 'http://t.lotusguild.org/ticket/';
    const ticket = e.ticket_id
      ? `<a href="${lt.escHtml(ticketBase)}${lt.escHtml(String(e.ticket_id))}" target="_blank"
-            class="ticket-link">#${e.ticket_id}</a>`
+            class="ticket-link">#${lt.escHtml(String(e.ticket_id))}</a>`
      : '–';
    const supBadge = e.is_suppressed
      ? `<span class="lt-badge badge-suppressed" title="Alert suppressed">🔕 sup</span>`
Author	SHA1	Message	Date
jared	bcc2ad7f5c	Use shlex.quote for remote_cmd in build_ssh_command Lint / Python (flake8) (push) Successful in 1m3s Details Lint / JS (eslint) (push) Successful in 10s Details Security / Python Security (bandit) (push) Successful in 49s Details Test / Python Tests (pytest) (push) Successful in 1m10s Details Lint / Notify on failure (push) Has been skipped Details Lint / Deploy (push) Successful in 4s Details Matches the pattern already used in monitor.py's _ssh_batch(); prevents quoting breakage if shlex.quote(iface) emits single-quoted tokens inside the remote command string. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 23:17:11 -04:00
jared	d4f159ee7c	fix: escape ticket_id text content in dynamic events table Lint / Python (flake8) (push) Successful in 44s Details Lint / JS (eslint) (push) Successful in 8s Details Security / Python Security (bandit) (push) Successful in 42s Details Test / Python Tests (pytest) (push) Successful in 1m7s Details Lint / Notify on failure (push) Has been skipped Details Lint / Deploy (push) Successful in 3s Details ticket_id was already escaped in the href attribute but the visible text (#<id>) used the raw value in an innerHTML template literal. Apply lt.escHtml() for defense-in-depth against a compromised ticket API. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 23:02:09 -04:00