use safeShellArg where needed

src/main/java/org/cobbzilla/util/http/HttpRequestBean.java

@@ -26,6 +26,7 @@ import static org.cobbzilla.util.daemon.ZillaRuntime.empty;
 import static org.cobbzilla.util.http.HttpContentTypes.NV_HTTP_JSON;
 import static org.cobbzilla.util.http.HttpMethods.*;
 import static org.cobbzilla.util.reflect.ReflectionUtil.copy;
+import static org.cobbzilla.util.string.StringUtil.safeShellUrlArg;
 import static org.cobbzilla.util.system.CommandShell.execScript;
 
 /**
@@ -153,7 +154,7 @@ public class HttpRequestBean {
     public static HttpRequestBean postJson(String path, String json) { return new HttpRequestBean(POST, path, json, NV_HTTP_JSON); }
 
     public String cURL () {
-        final StringBuilder b = new StringBuilder("curl '"+getUri()).append("'");
+        final StringBuilder b = new StringBuilder("curl '"+safeShellUrlArg(getUri())).append("'");
         for (NameAndValue header : getHeaders()) {
             final String name = header.getName();
             b.append(" -H '").append(name).append(": ").append(header.getValue()).append("'");

src/main/java/org/cobbzilla/util/http/HttpUtil.java

@@ -52,6 +52,7 @@ import static org.cobbzilla.util.json.JsonUtil.COMPACT_MAPPER;
 import static org.cobbzilla.util.json.JsonUtil.json;
 import static org.cobbzilla.util.security.CryptStream.BUFFER_SIZE;
 import static org.cobbzilla.util.string.StringUtil.*;
+import static org.cobbzilla.util.string.ValidationRegexes.isHostname;
 import static org.cobbzilla.util.system.Sleep.sleep;
 import static org.cobbzilla.util.time.TimeUtil.DATE_FORMAT_LAST_MODIFIED;
 
@@ -397,6 +398,10 @@ public class HttpUtil {
     public static boolean isOk(String url) { return isOk(url, URIUtil.getHost(url)); }
 
     public static boolean isOk(String url, String host) {
+        if (!isHostname(host)) {
+            log.warn("isOK: invalid hostname, returning false: "+host);
+            return false;
+        }
         final CommandLine command = new CommandLine("curl")
                 .addArgument("--insecure") // since we are requested via the IP address, the cert will not match
                 .addArgument("--header").addArgument("Host: " + host) // pass FQDN via Host header

src/main/java/org/cobbzilla/util/io/main/FilesystemWatcherMain.java

@@ -13,6 +13,7 @@ import java.util.List;
 
 import static org.cobbzilla.util.daemon.ZillaRuntime.errorString;
 import static org.cobbzilla.util.daemon.ZillaRuntime.now;
+import static org.cobbzilla.util.string.StringUtil.safeShellArg;
 
 @Slf4j
 public class FilesystemWatcherMain extends BaseMain<FilesystemWatcherMainOptions> {
@@ -30,7 +31,7 @@ public class FilesystemWatcherMain extends BaseMain<FilesystemWatcherMainOptions
             @Override public void uber_fire(List<WatchEvent<?>> events) {
                 try {
                     if (options.hasCommand()) {
-                        CommandShell.exec(new CommandLine(options.getCommand()));
+                        CommandShell.exec(new CommandLine(safeShellArg(options.getCommand())));
                     } else {
                         final String msg = status() + " uber_fire ("+events.size()+" events) at " + DFORMAT.print(now());
                         log.info(msg);

src/main/java/org/cobbzilla/util/string/StringUtil.java

@@ -101,11 +101,13 @@ public class StringUtil {
 
     public static String lastPathElement(String url) { return url.substring(url.lastIndexOf("/")+1); }
 
-    public static String safeShellArg (String s) { return s.replaceAll("[^-\\.@_ \t/=\\w]+", ""); }
+    public static String safeShellArg (String s) { return s.replaceAll("[^-\\.@+_% \t/=\\w]+", ""); }
     public static boolean checkSafeShellArg (String s) { return safeShellArg(s).equals(s); }
     public static String safeFunctionName (String s) { return s.replaceAll("\\W", ""); }
     public static String safeSnakeName (String s) { return s.replaceAll("\\W", "_"); }
 
+    public static String safeShellUrlArg (String s) { return s.replaceAll("[^-\\.&?@+_%/=\\w]+", ""); }
+
     public static String onlyDigits (String s) { return s.replaceAll("\\D+", ""); }
 
     public static String removeWhitespace (String s) { return s.replaceAll("\\p{javaSpaceChar}", ""); }