fix: handle special characters in SSH password/passphrase (Fixes #312)

- Use sshpass -f with temp file in transferScriptsFolder so password/passphrase
  never go through shell; safe for {, $, ", etc.
- Pass password via SSH_PASSWORD env in testWithExpect instead of embedding
  in script
- Add ServerForm hint: SSH key recommended; special chars supported

.github/workflows/publish_release.yml

@@ -31,20 +31,24 @@ jobs:
           echo "Found draft version: ${{ steps.draft.outputs.tag_name }}"
 
       
-      - name: Create branch and commit VERSION
+      - name: Create branch and commit VERSION and package.json
         run: |
           branch="update-version-${{ steps.draft.outputs.tag_name }}"
           # Delete remote branch if exists
           git push origin --delete "$branch" || echo "No remote branch to delete"
           git fetch origin main
           git checkout -b "$branch" origin/main
-          # Write VERSION file and timestamp to ensure a diff
+          # Version without 'v' prefix (e.g. v1.2.3 -> 1.2.3)
           version="${{ steps.draft.outputs.tag_name }}"
-          echo "$version" | sed 's/^v//' > VERSION
+          version_plain=$(echo "$version" | sed 's/^v//')
-          git add VERSION
+          # Write VERSION file
+          echo "$version_plain" > VERSION
+          # Update package.json version
+          jq --arg v "$version_plain" '.version = $v' package.json > package.json.tmp && mv package.json.tmp package.json
+          git add VERSION package.json
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git commit -m "chore: add VERSION $version" --allow-empty
+          git commit -m "chore: bump version to $version_plain (VERSION + package.json)" --allow-empty
 
       - name: Push changes
         run: |
@@ -57,8 +61,8 @@ jobs:
             pr_url=$(gh pr create \
             --base main \
             --head update-version-${{ steps.draft.outputs.tag_name }} \
-            --title "chore: add VERSION ${{ steps.draft.outputs.tag_name }}" \
+            --title "chore: bump version to ${{ steps.draft.outputs.tag_name }} (VERSION + package.json)" \
-            --body "Adds VERSION file for release ${{ steps.draft.outputs.tag_name }}" \
+            --body "Updates VERSION file and package.json version for release ${{ steps.draft.outputs.tag_name }}" \
             --label automated)
     
             pr_number=$(echo "$pr_url" | awk -F/ '{print $NF}')

package.json

@@ -25,13 +25,13 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@prisma/adapter-better-sqlite3": "^7.2.0",
+    "@prisma/adapter-better-sqlite3": "^7.3.0",
-    "@prisma/client": "^7.2.0",
+    "@prisma/client": "^7.3.0",
     "@radix-ui/react-dropdown-menu": "^2.1.16",
     "@radix-ui/react-slot": "^1.2.4",
     "@t3-oss/env-nextjs": "^0.13.10",
     "@tailwindcss/typography": "^0.5.19",
-    "@tanstack/react-query": "^5.90.18",
+    "@tanstack/react-query": "^5.90.20",
     "@trpc/client": "^11.8.1",
     "@trpc/react-query": "^11.8.1",
     "@trpc/server": "^11.8.1",
@@ -42,14 +42,14 @@
     "@xterm/xterm": "^6.0.0",
     "axios": "^1.13.2",
     "bcryptjs": "^3.0.3",
-    "better-sqlite3": "^12.6.0",
+    "better-sqlite3": "^12.6.2",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "cron-validator": "^1.4.0",
     "dotenv": "^17.2.3",
     "jsonwebtoken": "^9.0.3",
     "lucide-react": "^0.562.0",
-    "next": "^16.1.3",
+    "next": ">=16.1.5",
     "node-cron": "^4.2.1",
     "node-pty": "^1.1.0",
     "react": "^19.2.3",
@@ -66,9 +66,10 @@
     "zod": "^4.3.5"
   },
   "devDependencies": {
+    "next": ">=16.1.5",
     "@tailwindcss/postcss": "^4.1.18",
     "@testing-library/jest-dom": "^6.9.1",
-    "@testing-library/react": "^16.3.1",
+    "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",
     "@types/bcryptjs": "^3.0.0",
     "@types/better-sqlite3": "^7.6.13",
@@ -87,11 +88,11 @@
     "postcss": "^8.5.6",
     "prettier": "^3.8.0",
     "prettier-plugin-tailwindcss": "^0.7.2",
-    "prisma": "^7.2.0",
+    "prisma": "^7.3.0",
     "tailwindcss": "^4.1.18",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.53.0",
+    "typescript-eslint": "^8.54.0",
     "vitest": "^4.0.17"
   },
   "ct3aMetadata": {
@@ -102,6 +103,7 @@
     "node": ">=24.0.0"
   },
   "overrides": {
-    "prismjs": "^1.30.0"
+    "prismjs": "^1.30.0",
+    "hono": ">=4.11.7"
   }
 }

server.js

@@ -312,7 +312,7 @@ class ScriptExecutionHandler {
           } else if (isUpdate && containerId) {
             await this.startUpdateExecution(ws, containerId, executionId, mode, server, backupStorage);
           } else if (isShell && containerId) {
-            await this.startShellExecution(ws, containerId, executionId, mode, server);
+            await this.startShellExecution(ws, containerId, executionId, mode, server, containerType);
           } else {
             await this.startScriptExecution(ws, scriptPath, executionId, mode, server, envVars);
           }
@@ -1474,21 +1474,21 @@ class ScriptExecutionHandler {
    * @param {string} executionId
    * @param {string} mode
    * @param {ServerInfo|null} server
+   * @param {'lxc'|'vm'} [containerType='lxc']
    */
-  async startShellExecution(ws, containerId, executionId, mode = 'local', server = null) {
+  async startShellExecution(ws, containerId, executionId, mode = 'local', server = null, containerType = 'lxc') {
     try {
-      
+      const typeLabel = containerType === 'vm' ? 'VM' : 'container';
-      // Send start message
       this.sendMessage(ws, {
         type: 'start',
-        data: `Starting shell session for container ${containerId}...`,
+        data: `Starting shell session for ${typeLabel} ${containerId}...`,
         timestamp: Date.now()
       });
 
       if (mode === 'ssh' && server) {
-        await this.startSSHShellExecution(ws, containerId, executionId, server);
+        await this.startSSHShellExecution(ws, containerId, executionId, server, containerType);
       } else {
-        await this.startLocalShellExecution(ws, containerId, executionId);
+        await this.startLocalShellExecution(ws, containerId, executionId, containerType);
       }
 
     } catch (error) {
@@ -1505,12 +1505,12 @@ class ScriptExecutionHandler {
    * @param {ExtendedWebSocket} ws
    * @param {string} containerId
    * @param {string} executionId
+   * @param {'lxc'|'vm'} [containerType='lxc']
    */
-  async startLocalShellExecution(ws, containerId, executionId) {
+  async startLocalShellExecution(ws, containerId, executionId, containerType = 'lxc') {
     const { spawn } = await import('node-pty');
-    
+    const shellCommand = containerType === 'vm' ? `qm terminal ${containerId}` : `pct enter ${containerId}`;
-    // Create a shell process that will run pct enter
+    const childProcess = spawn('bash', ['-c', shellCommand], {
-    const childProcess = spawn('bash', ['-c', `pct enter ${containerId}`], {
       name: 'xterm-color',
       cols: 80,
       rows: 24,
@@ -1553,14 +1553,15 @@ class ScriptExecutionHandler {
    * @param {string} containerId
    * @param {string} executionId
    * @param {ServerInfo} server
+   * @param {'lxc'|'vm'} [containerType='lxc']
    */
-  async startSSHShellExecution(ws, containerId, executionId, server) {
+  async startSSHShellExecution(ws, containerId, executionId, server, containerType = 'lxc') {
     const sshService = getSSHExecutionService();
-    
+    const shellCommand = containerType === 'vm' ? `qm terminal ${containerId}` : `pct enter ${containerId}`;
     try {
       const execution = await sshService.executeCommand(
         server,
-        `pct enter ${containerId}`,
+        shellCommand,
         /** @param {string} data */
         (data) => {
           this.sendMessage(ws, {

src/app/_components/ConfigurationModal.tsx

@@ -199,6 +199,17 @@ export function ConfigurationModal({
     return !isNaN(num) && num > 0;
   };
 
+  const validateHostname = (hostname: string): boolean => {
+    if (!hostname || hostname.length > 253) return false;
+    const label = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$/;
+    const labels = hostname.split('.');
+    return labels.length >= 1 && labels.every(l => l.length >= 1 && l.length <= 63 && label.test(l));
+  };
+
+  const validateAptCacherAddress = (value: string): boolean => {
+    return validateIPv4(value) || validateHostname(value);
+  };
+
   const validateForm = (): boolean => {
     const newErrors: Record<string, string> = {};
 
@@ -216,8 +227,8 @@ export function ConfigurationModal({
       if (advancedVars.var_ns && !validateIPv4(advancedVars.var_ns as string)) {
         newErrors.var_ns = 'Invalid IPv4 address';
       }
-      if (advancedVars.var_apt_cacher_ip && !validateIPv4(advancedVars.var_apt_cacher_ip as string)) {
+      if (advancedVars.var_apt_cacher_ip && !validateAptCacherAddress(advancedVars.var_apt_cacher_ip as string)) {
-        newErrors.var_apt_cacher_ip = 'Invalid IPv4 address';
+        newErrors.var_apt_cacher_ip = 'Invalid IPv4 address or hostname';
       }
       // Validate IPv4 CIDR if network mode is static
       const netValue = advancedVars.var_net;
@@ -904,13 +915,13 @@ export function ConfigurationModal({
                   </div>
                   <div>
                     <label className="block text-sm font-medium text-foreground mb-2">
-                      APT Cacher IP
+                      APT Cacher host or IP
                     </label>
                     <Input
                       type="text"
                       value={typeof advancedVars.var_apt_cacher_ip === 'boolean' ? '' : String(advancedVars.var_apt_cacher_ip ?? '')}
                       onChange={(e) => updateAdvancedVar('var_apt_cacher_ip', e.target.value)}
-                      placeholder="192.168.1.10"
+                      placeholder="192.168.1.10 or apt-cacher.internal"
                       className={errors.var_apt_cacher_ip ? 'border-destructive' : ''}
                     />
                     {errors.var_apt_cacher_ip && (

src/app/_components/InstalledScriptsTab.tsx

@@ -80,6 +80,7 @@ export function InstalledScriptsTab() {
     id: number;
     containerId: string;
     server?: any;
+    containerType?: 'lxc' | 'vm';
   } | null>(null);
   const [showBackupPrompt, setShowBackupPrompt] = useState(false);
   const [showStorageSelection, setShowStorageSelection] = useState(false);
@@ -1167,6 +1168,7 @@ export function InstalledScriptsTab() {
       id: script.id,
       containerId: script.container_id,
       server: server,
+      containerType: script.is_vm ? 'vm' : 'lxc',
     });
   };
 
@@ -1452,6 +1454,13 @@ export function InstalledScriptsTab() {
       {/* Shell Terminal */}
       {openingShell && (
         <div className="mb-8" data-terminal="shell">
+          {openingShell.containerType === 'vm' && (
+            <p className="text-muted-foreground mb-2 text-sm">
+              VM shell uses the Proxmox serial console. The VM must have a
+              serial port configured (e.g. <code className="bg-muted rounded px-1">qm set {openingShell.containerId} -serial0 socket</code>).
+              Detach with <kbd className="bg-muted rounded px-1">Ctrl+O</kbd>.
+            </p>
+          )}
           <Terminal
             scriptPath={`shell-${openingShell.containerId}`}
             onClose={handleCloseShellTerminal}
@@ -1459,6 +1468,7 @@ export function InstalledScriptsTab() {
             server={openingShell.server}
             isShell={true}
             containerId={openingShell.containerId}
+            containerType={openingShell.containerType}
           />
         </div>
       )}
@@ -1538,7 +1548,7 @@ export function InstalledScriptsTab() {
           >
             {showAutoDetectForm
               ? "Cancel Auto-Detect"
-              : '🔍 Auto-Detect LXC Containers (Must contain a tag with "community-script")'}
+              : '🔍 Auto-Detect Containers & VMs (tag: community-script)'}
           </Button>
           <Button
             onClick={() => {
@@ -1764,12 +1774,11 @@ export function InstalledScriptsTab() {
           </div>
         )}
 
-        {/* Auto-Detect LXC Containers Form */}
+        {/* Auto-Detect Containers & VMs Form */}
         {showAutoDetectForm && (
           <div className="bg-card border-border mb-6 rounded-lg border p-4 shadow-sm sm:p-6">
             <h3 className="text-foreground mb-4 text-lg font-semibold sm:mb-6">
-              Auto-Detect LXC Containers (Must contain a tag with
+              Auto-Detect Containers &amp; VMs (tag: community-script)
-              &quot;community-script&quot;)
             </h3>
             <div className="space-y-4 sm:space-y-6">
               <div className="bg-muted/30 border-muted rounded-lg border p-4">
@@ -1795,12 +1804,12 @@ export function InstalledScriptsTab() {
                       <p>This feature will:</p>
                       <ul className="mt-1 list-inside list-disc space-y-1">
                         <li>Connect to the selected server via SSH</li>
-                        <li>Scan all LXC config files in /etc/pve/lxc/</li>
+                        <li>Scan LXC configs in /etc/pve/lxc/ and VM configs in /etc/pve/qemu-server/</li>
                         <li>
-                          Find containers with &quot;community-script&quot; in
+                          Find containers and VMs with &quot;community-script&quot; in
                           their tags
                         </li>
-                        <li>Extract the container ID and hostname</li>
+                        <li>Extract the container/VM ID and hostname or name</li>
                         <li>Add them as installed script entries</li>
                       </ul>
                     </div>
@@ -2302,6 +2311,11 @@ export function InstalledScriptsTab() {
                                             "stopped"
                                           }
                                           className="text-muted-foreground hover:text-foreground hover:bg-muted/20 focus:bg-muted/20"
+                                          title={
+                                            script.is_vm
+                                              ? "VM serial console (requires serial port; detach with Ctrl+O)"
+                                              : undefined
+                                          }
                                         >
                                           Shell
                                         </DropdownMenuItem>

src/app/_components/PBSCredentialsModal.tsx

@@ -270,22 +270,21 @@ export function PBSCredentialsModal({
                 htmlFor="pbs-fingerprint"
                 className="text-foreground mb-1 block text-sm font-medium"
               >
-                Fingerprint <span className="text-error">*</span>
+                Fingerprint
               </label>
               <input
                 type="text"
                 id="pbs-fingerprint"
                 value={pbsFingerprint}
                 onChange={(e) => setPbsFingerprint(e.target.value)}
-                required
                 disabled={isLoading}
                 className="bg-card text-foreground placeholder-muted-foreground focus:ring-ring focus:border-ring border-border w-full rounded-md border px-3 py-2 shadow-sm focus:ring-2 focus:outline-none"
                 placeholder="e.g., 7b:e5:87:38:5e:16:05:d1:12:22:7f:73:d2:e2:d0:cf:8c:cb:28:e2:74:0c:78:91:1a:71:74:2e:79:20:5a:02"
               />
               <p className="text-muted-foreground mt-1 text-xs">
-                Server fingerprint for auto-acceptance. You can find this on
+                Leave empty if PBS uses a trusted CA (e.g. Let&apos;s Encrypt).
-                your PBS dashboard by clicking the &quot;Show Fingerprint&quot;
+                For self-signed certificates, enter the server fingerprint from
-                button.
+                the PBS dashboard (&quot;Show Fingerprint&quot;).
               </p>
             </div>
 

src/app/_components/ServerForm.tsx

@@ -438,6 +438,11 @@ export function ServerForm({
             {errors.password && (
               <p className="text-destructive mt-1 text-sm">{errors.password}</p>
             )}
+            <p className="text-muted-foreground mt-1 text-xs">
+              SSH key is recommended when possible. Special characters (e.g.{" "}
+              <code className="rounded bg-muted px-0.5">{"{ } $ \" '"}</code>) are
+              supported.
+            </p>
           </div>
         )}
 

src/server/api/routers/installedScripts.ts

@@ -1060,7 +1060,7 @@ export const installedScriptsRouter = createTRPCRouter({
               reject(new Error(`pct list failed: ${error}`));
             },
             (_exitCode: number) => {
-              resolve();
+              setImmediate(() => resolve());
             }
           );
         });
@@ -1079,7 +1079,7 @@ export const installedScriptsRouter = createTRPCRouter({
               reject(new Error(`qm list failed: ${error}`));
             },
             (_exitCode: number) => {
-              resolve();
+              setImmediate(() => resolve());
             }
           );
         });

src/server/services/backupService.ts

@@ -327,13 +327,16 @@ class BackupService {
     // PBS supports PBS_PASSWORD and PBS_REPOSITORY environment variables for non-interactive login
     const repository = `root@pam@${pbsIp}:${pbsDatastore}`;
     
-    // Escape password for shell safety (single quotes)
+    // Escape password and fingerprint for shell safety (single quotes)
     const escapedPassword = credential.pbs_password.replace(/'/g, "'\\''");
-    
+    const fingerprint = credential.pbs_fingerprint?.trim() ?? '';
-    // Use PBS_PASSWORD environment variable for non-interactive authentication
+    const escapedFingerprint = fingerprint ? fingerprint.replace(/'/g, "'\\''") : '';
-    // Auto-accept fingerprint by piping "y" to stdin
+    const envParts = [`PBS_PASSWORD='${escapedPassword}'`, `PBS_REPOSITORY='${repository}'`];
-    // PBS will use PBS_PASSWORD env var if available, avoiding interactive prompt
+    if (escapedFingerprint) {
-    const fullCommand = `echo "y" | PBS_PASSWORD='${escapedPassword}' PBS_REPOSITORY='${repository}' timeout 10 proxmox-backup-client login --repository ${repository} 2>&1`;
+      envParts.push(`PBS_FINGERPRINT='${escapedFingerprint}'`);
+    }
+    const envStr = envParts.join(' ');
+    const fullCommand = `${envStr} timeout 10 proxmox-backup-client login --repository ${repository} 2>&1`;
     
     console.log(`[BackupService] Logging into PBS: ${repository}`);
     
@@ -419,9 +422,12 @@ class BackupService {
     
     // Build full repository string: root@pam@<IP>:<DATASTORE>
     const repository = `root@pam@${pbsIp}:${pbsDatastore}`;
-    
+    const fingerprint = credential.pbs_fingerprint?.trim() ?? '';
+    const escapedFingerprint = fingerprint ? fingerprint.replace(/'/g, "'\\''") : '';
+    const snapshotEnvParts = escapedFingerprint ? [`PBS_FINGERPRINT='${escapedFingerprint}'`] : [];
+    const snapshotEnvStr = snapshotEnvParts.length ? snapshotEnvParts.join(' ') + ' ' : '';
     // Use correct command: snapshot list ct/<CT_ID> --repository <full_repo_string>
-    const command = `timeout 30 proxmox-backup-client snapshot list ct/${ctId} --repository ${repository} 2>&1 || echo "PBS_ERROR"`;
+    const command = `${snapshotEnvStr}timeout 30 proxmox-backup-client snapshot list ct/${ctId} --repository ${repository} 2>&1 || echo "PBS_ERROR"`;
     let output = '';
     
     console.log(`[BackupService] Discovering PBS backups for CT ${ctId} on repository ${repository}`);

src/server/services/restoreService.ts

@@ -250,9 +250,16 @@ class RestoreService {
     const targetFolder = `/var/lib/vz/dump/vzdump-lxc-${ctId}-${snapshotNameForPath}`;
     const targetTar = `${targetFolder}.tar`;
     
-    // Use PBS_PASSWORD env var and add timeout for long downloads
+    // Use PBS_PASSWORD env var and add timeout for long downloads; PBS_FINGERPRINT when set for cert validation
     const escapedPassword = credential.pbs_password.replace(/'/g, "'\\''");
-    const restoreCommand = `PBS_PASSWORD='${escapedPassword}' PBS_REPOSITORY='${repository}' timeout 300 proxmox-backup-client restore "${snapshotPath}" root.pxar "${targetFolder}" --repository '${repository}' 2>&1`;
+    const fingerprint = credential.pbs_fingerprint?.trim() ?? '';
+    const escapedFingerprint = fingerprint ? fingerprint.replace(/'/g, "'\\''") : '';
+    const restoreEnvParts = [`PBS_PASSWORD='${escapedPassword}'`, `PBS_REPOSITORY='${repository}'`];
+    if (escapedFingerprint) {
+      restoreEnvParts.push(`PBS_FINGERPRINT='${escapedFingerprint}'`);
+    }
+    const restoreEnvStr = restoreEnvParts.join(' ');
+    const restoreCommand = `${restoreEnvStr} timeout 300 proxmox-backup-client restore "${snapshotPath}" root.pxar "${targetFolder}" --repository '${repository}' 2>&1`;
     
     let output = '';
     let exitCode = 0;

src/server/ssh-execution-service.js

@@ -1,6 +1,8 @@
 import { spawn } from 'child_process';
 import { spawn as ptySpawn } from 'node-pty';
-import { existsSync } from 'fs';
+import { existsSync, writeFileSync, chmodSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
 
 
 /**
@@ -194,26 +196,45 @@ class SSHExecutionService {
    */
   async transferScriptsFolder(server, onData, onError) {
     const { ip, user, password, auth_type = 'password', ssh_key_passphrase, ssh_key_path, ssh_port = 22 } = server;
-    
+
+    const cleanupTempFile = (/** @type {string | null} */ tempPath) => {
+      if (tempPath) {
+        try {
+          unlinkSync(tempPath);
+        } catch (_) {
+          // ignore
+        }
+      }
+    };
+
     return new Promise((resolve, reject) => {
+      /** @type {string | null} */
+      let tempPath = null;
       try {
-        // Build rsync command based on authentication type
+        // Build rsync command based on authentication type.
+        // Use sshpass -f with a temp file so password/passphrase never go through the shell (safe for special chars like {, $, ").
         let rshCommand;
         if (auth_type === 'key') {
           if (!ssh_key_path || !existsSync(ssh_key_path)) {
             throw new Error('SSH key file not found');
           }
-          
+
           if (ssh_key_passphrase) {
-            rshCommand = `sshpass -P passphrase -p ${ssh_key_passphrase} ssh -i ${ssh_key_path} -p ${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`;
+            tempPath = join(tmpdir(), `sshpass-${process.pid}-${Date.now()}.tmp`);
+            writeFileSync(tempPath, ssh_key_passphrase);
+            chmodSync(tempPath, 0o600);
+            rshCommand = `sshpass -P passphrase -f ${tempPath} ssh -i ${ssh_key_path} -p ${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`;
           } else {
             rshCommand = `ssh -i ${ssh_key_path} -p ${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`;
           }
         } else {
           // Password authentication
-          rshCommand = `sshpass -p ${password} ssh -p ${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`;
+          tempPath = join(tmpdir(), `sshpass-${process.pid}-${Date.now()}.tmp`);
+          writeFileSync(tempPath, password ?? '');
+          chmodSync(tempPath, 0o600);
+          rshCommand = `sshpass -f ${tempPath} ssh -p ${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null`;
         }
-        
+
         const rsyncCommand = spawn('rsync', [
           '-avz',
           '--delete',
@@ -226,31 +247,31 @@ class SSHExecutionService {
           stdio: ['pipe', 'pipe', 'pipe']
         });
 
-      rsyncCommand.stdout.on('data', (/** @type {Buffer} */ data) => {
+        rsyncCommand.stdout.on('data', (/** @type {Buffer} */ data) => {
-        // Ensure proper UTF-8 encoding for ANSI colors
+          const output = data.toString('utf8');
-        const output = data.toString('utf8');
+          onData(output);
-        onData(output);
+        });
-      });
 
-      rsyncCommand.stderr.on('data', (/** @type {Buffer} */ data) => {
+        rsyncCommand.stderr.on('data', (/** @type {Buffer} */ data) => {
-        // Ensure proper UTF-8 encoding for ANSI colors
+          const output = data.toString('utf8');
-        const output = data.toString('utf8');
+          onError(output);
-        onError(output);
+        });
-      });
 
-      rsyncCommand.on('close', (code) => {
+        rsyncCommand.on('close', (code) => {
-        if (code === 0) {
+          cleanupTempFile(tempPath);
-          resolve();
+          if (code === 0) {
-        } else {
+            resolve();
-          reject(new Error(`rsync failed with code ${code}`));
+          } else {
-        }
+            reject(new Error(`rsync failed with code ${code}`));
-      });
+          }
+        });
 
-      rsyncCommand.on('error', (error) => {
+        rsyncCommand.on('error', (error) => {
-        reject(error);
+          cleanupTempFile(tempPath);
-      });
+          reject(error);
-      
+        });
       } catch (error) {
+        cleanupTempFile(tempPath);
         reject(error);
       }
     });

src/server/ssh-service.js

@@ -169,16 +169,17 @@ class SSHService {
       const timeout = 10000;
       let resolved = false;
       
+      // Pass password via env so it is not embedded in the script (safe for special chars like {, $, ").
       const expectScript = `#!/usr/bin/expect -f
 set timeout 10
 spawn ssh -p ${ssh_port} -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o PasswordAuthentication=yes -o PubkeyAuthentication=no ${user}@${ip} "echo SSH_LOGIN_SUCCESS"
 expect {
   "password:" {
-    send "${password}\r"
+    send "$env(SSH_PASSWORD)\\r"
     exp_continue
   }
   "Password:" {
-    send "${password}\r"
+    send "$env(SSH_PASSWORD)\\r"
     exp_continue
   }
   "SSH_LOGIN_SUCCESS" {
@@ -193,7 +194,8 @@ expect {
 }`;
 
       const expectCommand = spawn('expect', ['-c', expectScript], {
-        stdio: ['pipe', 'pipe', 'pipe']
+        stdio: ['pipe', 'pipe', 'pipe'],
+        env: { ...process.env, SSH_PASSWORD: password ?? '' }
       });
 
       const timer = setTimeout(() => {