fix(install.sh): validate EMAIL against shell/XML injection (PILOT-245) (#175)

matthew-pilot · web-flow · commit ad6ed065013b · 2026-05-29T13:38:07.000-07:00
${EMAIL} is written unquoted into systemd ExecStart= and unescaped
into macOS plist &lt;string&gt; elements. A malicious email containing
shell metacharacters (spaces, semicolons, pipes) or XML metacharacters
(&lt;, &gt;, &amp;) can inject additional command-line arguments or break out
of the plist structure.

Fix: validate EMAIL against ^[A-Za-z0-9@._+-]+$ after resolution
and refuse install with a clear error if it contains unsafe characters.

Closes PILOT-245
diff --git a/install.sh b/install.sh
@@ -185,6 +185,15 @@ if [ -z "$EMAIL" ] && [ ! -x "$BIN_DIR/pilotctl" ]; then
     fi
 fi
 
+# --- Validate email (prevent shell/XML injection) ---
+
+if [ -n "$EMAIL" ]; then
+    if ! echo "$EMAIL" | grep -qE '^[A-Za-z0-9@._+-]+$'; then
+        echo "  Error: EMAIL contains invalid characters (only A-Z a-z 0-9 @ . _ + - allowed)"
+        exit 1
+    fi
+fi
+
 # --- Detect existing installation ---
 
 UPDATING=false
