live: add restricted execution mode to shell/run

Try to find the script to run for a shell/run request in
/opt/opengnsys/shell/, restricted mode is enabled if the
script is found.

Excute the script without shell=True and executable=OG_SHELL in
restricted mode.

Restricted mode is a safer execution method as it only executes
code manually defined by the administrator.

Each script needs to define a shebang, this way more than just bash
is supported.

1 files changed, 19 insertions, 4 deletions

diff --git a/src/live/ogOperations.py b/src/live/ogOperations.py
index a3997b3..d0129e8 100644
--- a/src/live/ogOperations.py
+++ b/src/live/ogOperations.py
@@ -281,11 +281,26 @@ class OgLiveOperations:
 
         self._restartBrowser(self._url_log)
 
+        shell_path = '/opt/opengnsys/shell/'
+
+        restricted_mode = False
+
+        for file_name in os.listdir(shell_path):
+            file_path = os.path.join(shell_path, file_name)
+
+            if cmds[0] == file_name:
+                cmds[0] = file_path
+                restricted_mode = True
+                break
+
         try:
-            ogRest.proc = subprocess.Popen(cmds,
-                               stdout=subprocess.PIPE,
-                               shell=True,
-                               executable=OG_SHELL)
+            if restricted_mode:
+                ogRest.proc = subprocess.Popen(cmds, stdout=subprocess.PIPE)
+            else:
+                ogRest.proc = subprocess.Popen(cmds,
+                                stdout=subprocess.PIPE,
+                                shell=True,
+                                executable=OG_SHELL)
             (output, error) = ogRest.proc.communicate()
         except OSError as e:
             raise OgError(f'Error when running "shell run" subprocess: {e}') from e