BUG/MEDIUM: runtime: reject special characters in filenames

Avoid command injection when calling the runtime API by rejecting
dangerous characters which should never be used in filenames.

The rejected characters: \r\n<>*;$#&{}"

Note that we cannot simply add quotes around arguments in runtime
commands since HAProxy does not parse them, unlike in the configuration
file.

Author: oliwer

runtime/runtime_single_client.go

@@ -33,6 +33,8 @@ const (
 	masterSocket socketType = "master"
 )
 
+var ErrRuntimeInvalidChar = errors.New("invalid character found in runtime command")
+
 type socketType string
 
 // SingleRuntime handles one runtime API
@@ -180,6 +182,10 @@ func (s *SingleRuntime) ExecuteMaster(command string) (string, error) {
 }
 
 func (s *SingleRuntime) executeRaw(command string, retry int, socket socketType) (string, error) {
+	// Make sure to only execute a single command.
+	if strings.ContainsAny(command, ";") {
+		return "", ErrRuntimeInvalidChar
+	}
 	result, err := s.readFromSocket(command, socket)
 	if err != nil && retry > 0 {
 		retry--

runtime/runtime_single_client_test.go

@@ -0,0 +1,46 @@
+// Copyright 2026 HAProxy Technologies
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package runtime_test
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/haproxytech/client-native/v6/runtime"
+)
+
+func TestSingleRuntime_Execute(t *testing.T) {
+	tests := []struct {
+		name    string // description of this test case
+		command string
+		wantErr error
+	}{
+		{
+			name:    "two commands with semicolon",
+			command: "show ssl cert foo;dump ssl foo",
+			wantErr: runtime.ErrRuntimeInvalidChar,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var s runtime.SingleRuntime
+			gotErr := s.Execute(tt.command)
+			if !errors.Is(gotErr, tt.wantErr) {
+				t.Errorf("got %v, expected %v", gotErr, tt.wantErr)
+			}
+		})
+	}
+}

specification/build/haproxy_spec.yaml

@@ -12036,6 +12036,7 @@ parameters:
     description: Parent name
     required: true
     type: string
+    pattern: '^[^\r\n<>*;$#&{}"]+$'
   full_section:
     name: full_section
     in: query
@@ -25429,6 +25430,7 @@ paths:
         - description: ACL file entry ID
           in: path
           name: id
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25521,6 +25523,7 @@ paths:
         - description: File entry ID
           in: path
           name: id
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25544,6 +25547,7 @@ paths:
         - description: File entry ID
           in: path
           name: id
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25628,6 +25632,7 @@ paths:
         - description: Server name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -25650,6 +25655,7 @@ paths:
         - description: Server name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -25672,6 +25678,7 @@ paths:
         - description: Server name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -25744,6 +25751,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -25763,6 +25771,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25788,6 +25797,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - in: formData
@@ -25815,6 +25825,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: Payload of the cert entry
@@ -25845,6 +25856,7 @@ paths:
         - description: SSL CA file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: SSL CA file index
@@ -25917,6 +25929,7 @@ paths:
         - description: SSL certificate name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -25936,6 +25949,7 @@ paths:
         - description: SSL certificate name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -25959,6 +25973,7 @@ paths:
         - description: SSL certificate name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - in: formData
@@ -26026,6 +26041,7 @@ paths:
         - description: CRL file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -26045,6 +26061,7 @@ paths:
         - description: CRL file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: Entry index to return. Starts at 1. If not provided, all entries are returned.
@@ -26076,6 +26093,7 @@ paths:
         - description: CRL file name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: CRL file contents
@@ -26118,11 +26136,13 @@ paths:
         - description: SSL crt list name
           in: query
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: SSL cert entry name
           in: query
           name: cert_file
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - description: The line number where the entry is located, in case several entries share the same certificate.
@@ -26150,6 +26170,7 @@ paths:
         - description: SSL crt-list filename
           in: query
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       produces:
@@ -26171,6 +26192,7 @@ paths:
         - description: SSL crt-list filename
           in: query
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
         - in: body
@@ -26214,6 +26236,7 @@ paths:
         - description: Stick table name
           in: path
           name: name
+          pattern: ^[^\r\n<>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -26237,10 +26260,12 @@ paths:
         - description: A list of filters in format data.<type> <operator> <value> separated by comma
           in: query
           name: filter
+          pattern: ^[^\r\n;#]+$
           type: string
         - description: Key which we want the entries for
           in: query
           name: key
+          pattern: ^[^\r\n;#]+$
           type: string
         - description: Max number of entries to be returned for pagination
           in: query
@@ -26273,6 +26298,7 @@ paths:
               data_type:
                 $ref: '#/definitions/stick_table_entry'
               key:
+                pattern: ^[^\r\n;#]+$
                 type: string
             required:
               - key
@@ -26317,6 +26343,7 @@ paths:
         - description: Map file name
           in: path
           name: name
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - description: If true, deletes file from disk
@@ -26345,6 +26372,7 @@ paths:
         - description: Map file name
           in: path
           name: name
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
       responses:
@@ -26366,6 +26394,7 @@ paths:
         - description: Map file name
           in: path
           name: name
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - default: false
@@ -26445,6 +26474,7 @@ paths:
         - description: Map id
           in: path
           name: id
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -26470,6 +26500,7 @@ paths:
         - description: Map id
           in: path
           name: id
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -26492,6 +26523,7 @@ paths:
         - description: Map id
           in: path
           name: id
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
         - $ref: '#/parameters/parent_name'
@@ -26548,6 +26580,7 @@ paths:
         - description: Certificate file name
           in: query
           name: certificate
+          pattern: ^[^\r\n&lt;>*;$#&{}"]+$
           required: true
           type: string
       responses:

specification/haproxy-spec.yaml

@@ -830,6 +830,7 @@ parameters:
     description: Parent name
     required: true
     type: string
+    pattern: '^[^\r\n<>*;$#&{}"]+$'
   full_section:
     name: full_section
     in: query

specification/paths/runtime/acls.yaml

@@ -28,6 +28,7 @@ acls_one:
         description: ACL file entry ID
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Successful operation

specification/paths/runtime/acls_entries.yaml

@@ -14,6 +14,7 @@ acls_entries_one:
         description: File entry ID
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Successful operation
@@ -39,6 +40,7 @@ acls_entries_one:
         description: File entry ID
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '204':
         description: Successful operation

specification/paths/runtime/acme.yaml

@@ -26,6 +26,7 @@ acme:
         description: Certificate file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Operation started

specification/paths/runtime/maps.yaml

@@ -35,6 +35,7 @@ maps_one:
         description: Map file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
     responses:
       '200':
         description: Successful operation
@@ -54,6 +55,7 @@ maps_one:
         description: Map file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
       - name: forceDelete
         in: query
         description: If true, deletes file from disk
@@ -82,6 +84,7 @@ maps_one:
         description: Map file name
         required: true
         type: string
+        pattern: '^[^\r\n<>*;$#&{}"]+$'
       - name: force_sync
         in: query
         description: If true, immediately syncs changes to disk