Heratio Framework API Reference

ShellCommandService
in package

Shell Command Service — safe shell execution utilities.

Provides properly escaped shell command builders to prevent command injection vulnerabilities. All external input passed to shell commands MUST be routed through this service.

Table of Contents

Methods

buildMysqldumpCommand()  : string
Build a mysqldump command with properly escaped credentials.
buildMysqlRestoreCommand()  : string
Build a mysql restore command with properly escaped credentials.
buildSystemctlCommand()  : string|null
Build a systemctl command for an allowed service.
buildTarCommand()  : string
Build a tar archive command with escaped paths.
buildZipCommand()  : string
Build a zip command with escaped paths.
escapePostScript()  : string
Escape a PostScript string to prevent PS injection.
execInDir()  : bool
Execute a command in a specific directory after validating the path.
isAllowedService()  : bool
Validate a service name against the allowlist.
validateCommand()  : bool
Validate that a command name contains no shell metacharacters.

Methods

buildMysqldumpCommand()

Build a mysqldump command with properly escaped credentials.

public static buildMysqldumpCommand(string $host, int|string $port, string $user, string $password, string $database, string $outputFile[, string $errorFile = '/dev/null' ][, array<string|int, mixed> $extraArgs = [] ]) : string
Parameters
$host : string

Database host

$port : int|string

Database port

$user : string

Database username

$password : string

Database password (empty string = no password arg)

$database : string

Database name

$outputFile : string

Path to write the SQL dump

$errorFile : string = '/dev/null'

Path for stderr output

$extraArgs : array<string|int, mixed> = []

Additional mysqldump flags

Return values
string

buildMysqlRestoreCommand()

Build a mysql restore command with properly escaped credentials.

public static buildMysqlRestoreCommand(string $host, int|string $port, string $user, string $password, string $database, string $inputFile[, bool $isGzipped = false ]) : string
Parameters
$host : string
$port : int|string
$user : string
$password : string
$database : string
$inputFile : string
$isGzipped : bool = false
Return values
string

buildSystemctlCommand()

Build a systemctl command for an allowed service.

public static buildSystemctlCommand(string $action, string $service) : string|null
Parameters
$action : string

The systemctl action (restart, start, stop, status)

$service : string

The service name (must be in allowlist)

Return values
string|null

The command string, or null if service not allowed

buildTarCommand()

Build a tar archive command with escaped paths.

public static buildTarCommand(string $tarFile, string $sourceDir[, array<string|int, mixed> $excludes = [] ][, array<string|int, mixed> $includes = [] ]) : string
Parameters
$tarFile : string
$sourceDir : string
$excludes : array<string|int, mixed> = []
$includes : array<string|int, mixed> = []
Return values
string

buildZipCommand()

Build a zip command with escaped paths.

public static buildZipCommand(string $sourceDir, string $zipFile[, array<string|int, mixed> $excludePatterns = [] ]) : string
Parameters
$sourceDir : string
$zipFile : string
$excludePatterns : array<string|int, mixed> = []
Return values
string

escapePostScript()

Escape a PostScript string to prevent PS injection.

public static escapePostScript(string $input) : string

Strips characters that could be used for PostScript injection: parentheses, backslashes, and other control sequences.

Parameters
$input : string
Return values
string

execInDir()

Execute a command in a specific directory after validating the path.

public static execInDir(string $directory, string $command[, array<string|int, mixed> &$output = [] ][, int &$returnCode = 0 ]) : bool
Parameters
$directory : string

The directory to cd into

$command : string

The command to run (should already be escaped)

$output : array<string|int, mixed> = []

Captured output lines

$returnCode : int = 0

Exit code

Return values
bool

True if command succeeded (exit code 0)

isAllowedService()

Validate a service name against the allowlist.

public static isAllowedService(string $name) : bool
Parameters
$name : string
Return values
bool

validateCommand()

Validate that a command name contains no shell metacharacters.

public static validateCommand(string $command) : bool

Only allows alphanumeric characters, hyphens, underscores, dots, and forward slashes.

Parameters
$command : string

The command name to validate

Return values
bool

True if the command name is safe


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results