fix(security): bypass allowed cmds

This commit is contained in:
zx 2023-11-13 20:50:30 -05:00 committed by GitHub
parent d1732af529
commit 52ea324129
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -219,11 +219,14 @@ export class MainTerminal extends InteractiveTerminal {
// Check if the command is allowed // Check if the command is allowed
const cmdParts = input.split(" "); const cmdParts = input.split(" ");
const executable = cmdParts[0].trim(); const executable = cmdParts[0].trim();
const knownOperators = ["&&", "||", "&", ";"];
log.debug("console", "Executable: " + executable); log.debug("console", "Executable: " + executable);
log.debug("console", "Executable length: " + executable.length); log.debug("console", "Executable length: " + executable.length);
if (!allowedCommandList.includes(executable)) { if (!allowedCommandList.includes(executable)) {
throw new Error("Command not allowed."); throw new Error("Command not allowed.");
} else if (knownOperators.some(operator => input.includes(operator))) {
throw new Error("Control operators are not allowed.");
} }
super.write(input); super.write(input);
} }