docs: warning about hook executor

This commit is contained in:
Henrique Dias 2026-06-27 09:37:29 +02:00
parent d76b7d1610
commit c05ead7e8e
No known key found for this signature in database

View file

@ -46,6 +46,10 @@ The Hook Authentication method in FileBrowser allows developers to delegate user
The hooks output controls user permissions, scope, locale, and other attributes, making it a powerful and extensible authentication mechanism.
> [!WARNING]
>
> The submitted username and password are attacker-controlled and are handed to your hook command as the `USERNAME` and `PASSWORD` environment variables. File Browser runs the command directly, without a shell, so the values themselves are inert. However, your script must treat them as untrusted: always quote them (`"$USERNAME"`, `"$PASSWORD"`) and never pass them unquoted to a shell, `eval`, `bash -c`, command substitution, or backticks. A hook script that shell-evaluates these values turns any login request into remote code execution.
For example, the following code delegates filebrowser authentication to a PowerShell script on Windows. You can configure any command (for example, a script in Python, Node.js, etc.).
```sh