DEV: Raise exception when execute_command will spawn a shell (#12716)

This commit is contained in:
David Taylor 2021-04-15 16:29:37 +01:00 committed by GitHub
parent eb99ecf1d2
commit 0ec5fd5262
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 1 deletions

View File

@ -95,10 +95,16 @@ module Discourse
private
def execute_command(*command, timeout: nil, failure_message: "", success_status_codes: [0], chdir: ".")
def execute_command(*command, timeout: nil, failure_message: "", success_status_codes: [0], chdir: ".", unsafe_shell: false)
env = nil
env = command.shift if command[0].is_a?(Hash)
if !unsafe_shell && (command.length == 1) && command[0].include?(" ")
# Sending a single string to Process.spawn will launch a shell
# This means various things (e.g. subshells) are possible, and could present injection risk
raise "Arguments should be provided as separate strings"
end
if timeout
# will send a TERM after timeout
# will send a KILL after timeout * 2

View File

@ -438,6 +438,21 @@ describe Discourse do
has_checked_chdir = true
thread.join
end
it "raises error for unsafe shell" do
expect(Discourse::Utils.execute_command("pwd").strip).to eq(Rails.root.to_s)
expect do
Discourse::Utils.execute_command("echo a b c")
end.to raise_error(RuntimeError)
expect do
Discourse::Utils.execute_command({ "ENV1" => "VAL" }, "echo a b c")
end.to raise_error(RuntimeError)
expect(Discourse::Utils.execute_command("echo", "a", "b", "c").strip).to eq("a b c")
expect(Discourse::Utils.execute_command("echo a b c", unsafe_shell: true).strip).to eq("a b c")
end
end
end