Sanitize cli arguments

elastic · Feb 7, 2024 · 2073dc8 · 2073dc8
1 parent 9e35092
commit 2073dc8
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/agent/native/ext/MemoryTracker.cpp b/agent/native/ext/MemoryTracker.cpp
@@ -241,6 +241,10 @@ void removeFromTrackedAllocatedBlocks(
         IntrusiveDoublyLinkedList* allocatedBlocks,
         size_t* possibleActuallyRequestedSize )
 {
+    if (!allocatedBlock) {
+        return;
+    }
+
     EmbeddedTrackingDataHeader* trackingDataHeader = allocatedBlockToTrackingData( allocatedBlock, originallyRequestedSize );
 
     verifyMagic( "prefix", trackingDataHeader->prefixMagic, prefixMagicExpectedValue );
@@ -275,7 +279,7 @@ void memoryTrackerBeforeFree(
     IntrusiveDoublyLinkedList* allocatedBlocks = isPersistent ? &memTracker->allocatedPersistentBlocks : &memTracker->allocatedRequestScopedBlocks;
 
     ELASTIC_APM_ASSERT( *allocated >= originallyRequestedSize
-            , "Attempting to free more %s memory than allocated. Allocated: %" PRIu64 ". Attempting to free: %" PRIu64 
+            , "Attempting to free more %s memory than allocated. Allocated: %" PRIu64 ". Attempting to free: %" PRIu64
             , allocType( isPersistent ), *allocated, (UInt64)originallyRequestedSize );
 
     *possibleActuallyRequestedSize = originallyRequestedSize;

diff --git a/agent/php/ElasticApm/Impl/AutoInstrument/TransactionForExtensionRequest.php b/agent/php/ElasticApm/Impl/AutoInstrument/TransactionForExtensionRequest.php
@@ -420,6 +420,10 @@ private static function isCliScript(): bool
         return PHP_SAPI === 'cli';
     }
 
+    private function sanitizeCliName(string $name): string {
+        return preg_replace('/[^a-zA-Z0-9.:_\-]/', '_', $name);
+    }
+
     private function discoverCliName(): string
     {
         global $argc, $argv;
@@ -452,7 +456,7 @@ private function discoverCliName(): string
                 'Using CLI script name as transaction name',
                 ['cliScriptName' => $cliScriptName, 'argc' => $argc, 'argv' => $argv]
             );
-            return $cliScriptName;
+            return $this->sanitizeCliName($cliScriptName);
         }
 
         $txName = $cliScriptName . ' ' . $argv[1];
@@ -462,7 +466,7 @@ private function discoverCliName(): string
             . ' - including the first argument in transaction name',
             ['txName' => $txName, 'argc' => $argc, 'argv' => $argv]
         );
-        return $txName;
+        return $this->sanitizeCliName($txName);
     }
 
     /**