From 6282cb41a8d3dac4995432baee1e25056a30909b Mon Sep 17 00:00:00 2001 From: Alejandro Sirgo Rica Date: Mon, 24 Jun 2024 11:01:22 +0200 Subject: live: add restricted execution mode to shell/run Try to find the script to run for a shell/run request in /opt/opengnsys/shell/, restricted mode is enabled if the script is found. Excute the script without shell=True and executable=OG_SHELL in restricted mode. Restricted mode is a safer execution method as it only executes code manually defined by the administrator. Each script needs to define a shebang, this way more than just bash is supported. --- src/live/ogOperations.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'src/live') diff --git a/src/live/ogOperations.py b/src/live/ogOperations.py index a3997b3..d0129e8 100644 --- a/src/live/ogOperations.py +++ b/src/live/ogOperations.py @@ -281,11 +281,26 @@ class OgLiveOperations: self._restartBrowser(self._url_log) + shell_path = '/opt/opengnsys/shell/' + + restricted_mode = False + + for file_name in os.listdir(shell_path): + file_path = os.path.join(shell_path, file_name) + + if cmds[0] == file_name: + cmds[0] = file_path + restricted_mode = True + break + try: - ogRest.proc = subprocess.Popen(cmds, - stdout=subprocess.PIPE, - shell=True, - executable=OG_SHELL) + if restricted_mode: + ogRest.proc = subprocess.Popen(cmds, stdout=subprocess.PIPE) + else: + ogRest.proc = subprocess.Popen(cmds, + stdout=subprocess.PIPE, + shell=True, + executable=OG_SHELL) (output, error) = ogRest.proc.communicate() except OSError as e: raise OgError(f'Error when running "shell run" subprocess: {e}') from e -- cgit v1.2.3-18-g5258