Fix command bash injection using filename + add constant to disable commands

2020-06-17 19:08:11 +02:00 · 2020-06-17 19:08:11 +02:00 · 39caa92a62
parent 3839742f58
commit 39caa92a62
3 changed files with 25 additions and 4 deletions
--- a/controllers/internals/Command.php
+++ b/controllers/internals/Command.php
@ -78,6 +78,11 @@ namespace controllers\internals;
         */
        public function analyze_and_process (int $id_user, string $message)
        {
+            if (!ENABLE_COMMAND)
+            {
+                return false;
+            }
+
            $extracted_command = [];

            $decode_message = json_decode(trim($message), true);
@ -127,7 +132,13 @@ namespace controllers\internals;
            $decode_message['password'] = '******';
            $updated_text = json_encode($decode_message);

-            $generated_command = PWD_SCRIPTS . '/' . $find_command['script'];
+            $script = $find_command['script'];
+            while (str_replace('..', '', $script) !== $script)
+            {
+                $script = str_replace('..', '', $script);
+            }
+
+            $generated_command = PWD_SCRIPTS . '/' . escapeshellarg($script);
            $args = $decode_message['args'] ?? '';
            $generated_command .= ' ' . escapeshellcmd($args);

--- a/controllers/publics/Command.php
+++ b/controllers/publics/Command.php
@ -27,6 +27,14 @@ namespace controllers\publics;
            $this->internal_event = new \controllers\internals\Event($bdd);

            \controllers\internals\Tool::verifyconnect();
+
+            if (!ENABLE_COMMAND)
+            {
+                \FlashMessage\FlashMessage::push('danger', 'Les commandes sont désactivées.');
+                $this->redirect(\descartes\Router::url('Dashboard', 'show'));
+
+                exit(0);
+            }
        }

        /**
--- a/templates/incs/nav.php
+++ b/templates/incs/nav.php
@ -80,9 +80,11 @@
 							</li>
 						</ul>
                    </li>
-					<li <?php echo $page == 'commands' ? 'class="active"' : ''; ?>>
-						<a href="<?php echo \descartes\Router::url('Command', 'list'); ?>"><i class="fa fa-fw fa-terminal"></i> Commandes</a>
-                    </li>
+                    <?php if (ENABLE_COMMAND) { ?>
+                        <li <?php echo $page == 'commands' ? 'class="active"' : ''; ?>>
+                            <a href="<?php echo \descartes\Router::url('Command', 'list'); ?>"><i class="fa fa-fw fa-terminal"></i> Commandes</a>
+                        </li>
+					<?php } ?>
                    <?php if ($_SESSION['user']['settings']['webhook'] ?? false) { ?>
                        <li <?php echo $page == 'webhooks' ? 'class="active"' : ''; ?>>
                            <a href="<?php echo \descartes\Router::url('Webhook', 'list'); ?>"><i class="fa fa-fw fa-plug"></i> Webhooks</a>