BUG/MEDIUM: runtime: reject special characters in filenames

Avoid command injection when calling the runtime API by rejecting
dangerous characters which should never be used in filenames.

The rejected characters: \r\n<>*;$#&{}"

Note that we cannot simply add quotes around arguments in runtime
commands since HAProxy does not parse them, unlike in the configuration
file.

Author: oliwer

runtime/runtime_single_client.go

@@ -33,6 +33,8 @@ const (
 	masterSocket socketType = "master"
 )
 
+var ErrRuntimeInvalidChar = errors.New("invalid character found in runtime command")
+
 type socketType string
 
 // SingleRuntime handles one runtime API
@@ -180,6 +182,10 @@ func (s *SingleRuntime) ExecuteMaster(command string) (string, error) {
 }
 
 func (s *SingleRuntime) executeRaw(command string, retry int, socket socketType) (string, error) {
+	// Make sure to only execute a single command.
+	if strings.ContainsAny(command, ";") {
+		return "", ErrRuntimeInvalidChar
+	}
 	result, err := s.readFromSocket(command, socket)
 	if err != nil && retry > 0 {
 		retry--

runtime/runtime_single_client_test.go

@@ -0,0 +1,46 @@
+// Copyright 2026 HAProxy Technologies
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package runtime_test
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/haproxytech/client-native/v6/runtime"
+)
+
+func TestSingleRuntime_Execute(t *testing.T) {
+	tests := []struct {
+		name    string // description of this test case
+		command string
+		wantErr error
+	}{
+		{
+			name:    "two commands with semicolon",
+			command: "show ssl cert foo;dump ssl foo",
+			wantErr: runtime.ErrRuntimeInvalidChar,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var s runtime.SingleRuntime
+			gotErr := s.Execute(tt.command)
+			if !errors.Is(gotErr, tt.wantErr) {
+				t.Errorf("got %v, expected %v", gotErr, tt.wantErr)
+			}
+		})
+	}
+}

specification/build/haproxy_spec.yaml

@@ -12197,6 +12197,7 @@ parameters:
     description: Parent name
     required: true
     type: string
+    pattern: '^[^\r\n<>*;$#&{}"]+$'
   full_section:
     name: full_section
     in: query
@@ -25590,6 +25591,7 @@ paths:
         - description: ACL file entry ID
           in: path
           name: id
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25682,6 +25684,7 @@ paths:
         - description: File entry ID
           in: path
           name: id
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25705,6 +25708,7 @@ paths:
         - description: File entry ID
           in: path
           name: id
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25789,6 +25793,7 @@ paths:
         - description: Server name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -25811,6 +25816,7 @@ paths:
         - description: Server name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -25833,6 +25839,7 @@ paths:
         - description: Server name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -25905,6 +25912,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -25924,6 +25932,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25949,6 +25958,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - in: formData
@@ -25976,6 +25986,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: Payload of the cert entry
@@ -26006,6 +26017,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: SSL CA file index
@@ -26078,6 +26090,7 @@ paths:
         - description: SSL certificate name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -26097,6 +26110,7 @@ paths:
         - description: SSL certificate name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -26120,6 +26134,7 @@ paths:
         - description: SSL certificate name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - in: formData
@@ -26187,6 +26202,7 @@ paths:
         - description: CRL file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -26206,6 +26222,7 @@ paths:
         - description: CRL file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: Entry index to return. Starts at 1. If not provided, all entries are returned.
@@ -26237,6 +26254,7 @@ paths:
         - description: CRL file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: CRL file contents
@@ -26279,11 +26297,13 @@ paths:
         - description: SSL crt list name
           in: query
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: SSL cert entry name
           in: query
           name: cert_file
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: The line number where the entry is located, in case several entries share the same certificate.
@@ -26311,6 +26331,7 @@ paths:
         - description: SSL crt-list filename
           in: query
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -26332,6 +26353,7 @@ paths:
         - description: SSL crt-list filename
           in: query
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - in: body
@@ -26375,6 +26397,7 @@ paths:
         - description: Stick table name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -26398,10 +26421,12 @@ paths:
         - description: A list of filters in format data.<type> <operator> <value> separated by comma
           in: query
           name: filter
+          pattern: ^[^\r\n;#]+$
           type: string
         - description: Key which we want the entries for
           in: query
           name: key
+          pattern: ^[^\r\n;#]+$
           type: string
         - description: Max number of entries to be returned for pagination
           in: query
@@ -26434,6 +26459,7 @@ paths:
               data_type:
                 $ref: '#/definitions/stick_table_entry'
               key:
+                pattern: ^[^\r\n;#]+$
                 type: string
             required:
               - key
@@ -26478,6 +26504,7 @@ paths:
         - description: Map file name
           in: path
           name: name
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - description: If true, deletes file from disk
@@ -26506,6 +26533,7 @@ paths:
         - description: Map file name
           in: path
           name: name
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -26527,6 +26555,7 @@ paths:
         - description: Map file name
           in: path
           name: name
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - default: false
@@ -26606,6 +26635,7 @@ paths:
         - description: Map id
           in: path
           name: id
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -26631,6 +26661,7 @@ paths:
         - description: Map id
           in: path
           name: id
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -26653,6 +26684,7 @@ paths:
         - description: Map id
           in: path
           name: id
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -26709,6 +26741,7 @@ paths:
         - description: Certificate file name
           in: query
           name: certificate
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
       responses:

specification/haproxy-spec.yaml

@@ -830,6 +830,7 @@ parameters:
     description: Parent name
     required: true
     type: string
+    pattern: '^[^\r\n<>*;$#&{}"]+$'
   full_section:
     name: full_section
     in: query

specification/paths/runtime/acls.yaml

@@ -28,6 +28,7 @@ acls_one:
         description: ACL file entry ID
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Successful operation

specification/paths/runtime/acls_entries.yaml

@@ -14,6 +14,7 @@ acls_entries_one:
         description: File entry ID
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Successful operation
@@ -39,6 +40,7 @@ acls_entries_one:
         description: File entry ID
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '204':
         description: Successful operation

specification/paths/runtime/acme.yaml

@@ -26,6 +26,7 @@ acme:
         description: Certificate file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Operation started

specification/paths/runtime/maps.yaml

@@ -35,6 +35,7 @@ maps_one:
         description: Map file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Successful operation
@@ -54,6 +55,7 @@ maps_one:
         description: Map file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
       - name: forceDelete
         in: query
         description: If true, deletes file from disk
@@ -82,6 +84,7 @@ maps_one:
         description: Map file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
       - name: force_sync
         in: query
         description: If true, immediately syncs changes to disk