fix: 解决命令注入waf被绕过的问题 (1Panel-dev#4131)

L1nyz-tel · web-flow · commit 1087f7e873dc · 2024-03-08T22:43:56.000+08:00
diff --git a/backend/utils/cmd/cmd.go b/backend/utils/cmd/cmd.go
@@ -177,7 +177,8 @@ func CheckIllegal(args ...string) bool {
 	for _, arg := range args {
 		if strings.Contains(arg, "&") || strings.Contains(arg, "|") || strings.Contains(arg, ";") ||
 			strings.Contains(arg, "$") || strings.Contains(arg, "'") || strings.Contains(arg, "`") ||
-			strings.Contains(arg, "(") || strings.Contains(arg, ")") || strings.Contains(arg, "\"") {
+			strings.Contains(arg, "(") || strings.Contains(arg, ")") || strings.Contains(arg, "\"") ||
+			strings.Contains(arg, "\n") || strings.Contains(arg, "\r") {
 			return true
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,8 @@ func CheckIllegal(args ...string) bool {`
`177`	`177`	`for _, arg := range args {`
`178`	`178`	`if strings.Contains(arg, "&") \|\| strings.Contains(arg, "\|") \|\| strings.Contains(arg, ";") \|\|`
`179`	`179`	strings.Contains(arg, "$") \|\| strings.Contains(arg, "'") \|\| strings.Contains(arg, "`") \|\|
`180`		`- strings.Contains(arg, "(") \|\| strings.Contains(arg, ")") \|\| strings.Contains(arg, "\"") {`
	`180`	`+ strings.Contains(arg, "(") \|\| strings.Contains(arg, ")") \|\| strings.Contains(arg, "\"") \|\|`
	`181`	`+ strings.Contains(arg, "\n") \|\| strings.Contains(arg, "\r") {`
`181`	`182`	`return true`
`182`	`183`	`}`
`183`	`184`	`}`