ric/dockge
1
0
Fork 0
mirror of https://github.com/louislam/dockge.git synced 2024-11-30 14:24:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(security): bypass allowed cmds

Browse source
This commit is contained in:
zx 2023-11-13 20:50:30 -05:00 committed by GitHub
parent d1732af529
commit 52ea324129
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
backend/terminal.ts
View file

@ -219,11 +219,14 @@ export class MainTerminal extends InteractiveTerminal {
// Check if the command is allowed // Check if the command is allowed
const cmdParts = input.split(" "); const cmdParts = input.split(" ");
const executable = cmdParts[0].trim(); const executable = cmdParts[0].trim();
const knownOperators = ["&&", "||", "&", ";"];
log.debug("console", "Executable: " + executable); log.debug("console", "Executable: " + executable);
log.debug("console", "Executable length: " + executable.length); log.debug("console", "Executable length: " + executable.length);
if (!allowedCommandList.includes(executable)) { if (!allowedCommandList.includes(executable)) {
throw new Error("Command not allowed."); throw new Error("Command not allowed.");
} else if (knownOperators.some(operator => input.includes(operator))) {
throw new Error("Control operators are not allowed.");
} }
super.write(input); super.write(input);
} }