Fix command injection vulnerability

Author: Napsty

check_smart.pl

@@ -67,13 +67,14 @@
 # Dec 15, 2025: Florian Sager - Fix evaluating ATA Error Count: 0 as a warning (6.17.0)
 # Dec 15, 2025: Philippe Beaumont - Add areca devices (6.17.0)
 # Apr 21, 2026: Claudio Kuenzler - Fix sys path for sudo command. Detect NVME input/output error (6.18.0)
+# Apr 22, 2026: Claudio Kuenzler - Fix command injection vulnerability in interface parameter (6.18.1)
 
 use strict;
 use Getopt::Long;
 use File::Basename qw(basename);
 
 my $basename = basename($0);
-my $revision = '6.18.0';
+my $revision = '6.18.1';
 
 # Standard Nagios return codes
 my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
@@ -174,8 +175,11 @@
 
         # Allow all device types currently supported by smartctl
         # See http://www.smartmontools.org/wiki/Supported_RAID-Controllers
-
-        if ($opt_i =~ m/^(ata|scsi|3ware|areca|hpt|aacraid|cciss|megaraid|sat|auto|nvme|usbjmicron)/) {
+        # Validate interface parameter strictly to prevent command injection
+        # Simple interfaces must match exactly; RAID interfaces allow device specifiers (see --help)
+        if ($opt_i =~ m/^(ata|scsi|sat|auto|nvme)$/ ||
+            $opt_i =~ m/^(3ware|areca|aacraid|cciss|megaraid|usbjmicron),(\d+|\[\d+-\d+\])$/ ||
+            $opt_i =~ m/^hpt,\d+\/\d+\/\d+$/) {
             $interface = $opt_i;
           if($interface =~ m/megaraid,\[(\d{1,2})-(\d{1,2})\]/) {
             $interface = "";