Command injection via server_password

[lapuhhh]

Trashmap allows users to update test server settings (server name and password) via the update-settings endpoint.

However, the server_password field is not properly sanitized — it is inserted directly into the server configuration file (likely autoexec.cfg or equivalent for DDNet). This makes it possible to inject arbitrary server commands by appending new lines to the password value, for example setting sv_rcon_password.

As a result, any user can gain unrestricted RCON access to their own test server.

Potential risks:

• Full server control via RCON (commands like shutdown, kick, ban, change settings, etc.)
• Possibility to keep servers occupied/flooded (e.g. via sv_shutdown_when_empty 0 or similar), which can block ports/slots for other users who want to test maps.

Would it be possible to add sanitization for server_password (e.g. escape newlines/quotes or restrict allowed characters)?

[timakro]

I'm trying to escape it correctly:

trashmap/src/main.rs

Lines 157 to 159 in 191ce2c

	fn escape_ddnet(str: &str) -> String {
	str.replace(r"\", r"\\").replace("\"", "\\\"")
	}

Even looked at the server's command parsing code IIRC. What did I miss that allows to inject commands?

[lapuhhh]

Thank you for the quick response and for checking the escaping code

The current escape_ddnet function handles backslashes and quotes correctly (\ → \\, " → \"), but it doesn't touch newline characters (\n / \r). That's the key point that allows the injection to succeed.

Here's a very minimal Tampermonkey PoC showing the bypass:
poc.js

It waits for the server to be ready and then sends the injection via update-settings.

upd. I noticed that PR #1 (opened in 2024) already suggested a similar improvement to the escaping logic.
maybe parts of it are still useful?