Skip to content

Commit

Permalink
Use shellescape in more potentially dangerous places (#44)
Browse files Browse the repository at this point in the history
  • Loading branch information
grembo authored Dec 1, 2023
1 parent 81e1841 commit 1fa712f
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 14 deletions.
9 changes: 5 additions & 4 deletions driver/pot.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"syscall"
"time"

"github.com/alessio/shellescape"
"github.com/armon/circbuf"
"github.com/creack/pty"
hclog "github.com/hashicorp/go-hclog"
Expand Down Expand Up @@ -240,7 +241,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error {
message := potBIN + " " + command
s.logger.Debug("Setting pot attributes: ", message)

cmdAttr := potBIN + " " + command
cmdAttr := shellescape.Quote(potBIN) + " " + command
output, err := exec.Command("sh", "-c", cmdAttr).Output()
if err != nil {
if exitError, ok := err.(*exec.ExitError); ok {
Expand All @@ -260,7 +261,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error {
message := potBIN + " " + command
s.logger.Debug("Copying files on jail: ", message)

cmdFiles := potBIN + " " + command
cmdFiles := shellescape.Quote(potBIN) + " " + command
output, err := exec.Command("sh", "-c", cmdFiles).Output()
if err != nil {
if exitError, ok := err.(*exec.ExitError); ok {
Expand All @@ -280,7 +281,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error {
message := potBIN + " " + command
s.logger.Debug("Mounting files on jail: ", message)

cmdVolumes := potBIN + " " + command
cmdVolumes := shellescape.Quote(potBIN) + " " + command
output, err := exec.Command("sh", "-c", cmdVolumes).Output()
if err != nil {
if exitError, ok := err.(*exec.ExitError); ok {
Expand All @@ -299,7 +300,7 @@ func (s *syexec) createContainer(commandCfg *drivers.TaskConfig) error {
message := potBIN + " " + command
s.logger.Debug("Mounting READ only files on jail: ", message)

cmdVolumesRO := potBIN + " " + command
cmdVolumesRO := shellescape.Quote(potBIN) + " " + command
output, err := exec.Command("sh", "-c", cmdVolumesRO).Output()
if err != nil {
if exitError, ok := err.(*exec.ExitError); ok {
Expand Down
20 changes: 10 additions & 10 deletions driver/prepare.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,11 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro
potName := baseName + "_" + jobIDAllocID

//Mount local
commandLocal := "mount-in -p " + potName + " -d " + cfg.TaskDir().LocalDir + " -m /local"
commandLocal := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(cfg.TaskDir().LocalDir) + " -m /local"
se.argvMount = append(se.argvMount, commandLocal)

//Mount secrets
commandSecret := "mount-in -p " + potName + " -d " + cfg.TaskDir().SecretsDir + " -m /secrets"
commandSecret := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(cfg.TaskDir().SecretsDir) + " -m /secrets"
se.argvMount = append(se.argvMount, commandSecret)

if len(taskCfg.Copy) > 0 {
Expand All @@ -96,7 +96,7 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro
split := strings.SplitN(file, ":", 2)
source := split[0]
destination := split[1]
command := "copy-in -p " + potName + " -s " + source + " -d " + destination
command := "copy-in -p " + shellescape.Quote(potName) + " -s " + shellescape.Quote(source) + " -d " + shellescape.Quote(destination)
argvCopy = append(argvCopy, command)
}
se.argvCopy = argvCopy
Expand All @@ -107,7 +107,7 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro
split := strings.Split(file, ":")
source := split[0]
destination := split[1]
command := "mount-in -p " + potName + " -d " + source + " -m " + destination
command := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(source) + " -m " + shellescape.Quote(destination)
se.argvMount = append(se.argvMount, command)
}
}
Expand All @@ -118,7 +118,7 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro
split := strings.Split(file, ":")
source := split[0]
destination := split[1]
command := "mount-in -p " + potName + " -d " + source + " -m " + destination + " -r"
command := "mount-in -p " + shellescape.Quote(potName) + " -d " + shellescape.Quote(source) + " -m " + shellescape.Quote(destination) + " -r"
argvMountReadOnly = append(argvMountReadOnly, command)
}
se.argvMountReadOnly = argvMountReadOnly
Expand All @@ -130,14 +130,14 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro
split := strings.Split(attr, ":")
attribute := split[0]
value := split[1]
command := "set-attribute -p " + potName + " -A " + shellescape.Quote(attribute) + " -V " + shellescape.Quote(value)
command := "set-attribute -p " + shellescape.Quote(potName) + " -A " + shellescape.Quote(attribute) + " -V " + shellescape.Quote(value)
se.argvAttributes = append(se.argvAttributes, command)
}
}

// Set env variables
if len(cfg.EnvList()) > 0 {
command := potBIN + " set-env -p " + potName + " "
command := shellescape.Quote(potBIN) + " set-env -p " + shellescape.Quote(potName) + " "
for name, env := range cfg.Env {
command = command + " -E " + shellescape.Quote(name) + "=" + shellescape.Quote(env)
}
Expand All @@ -146,17 +146,17 @@ func prepareContainer(cfg *drivers.TaskConfig, taskCfg TaskConfig) (syexec, erro
}

if len(taskCfg.ExtraHosts) > 0 {
hostCommand := potBIN + " set-hosts -p " + potName
hostCommand := shellescape.Quote(potBIN) + " set-hosts -p " + shellescape.Quote(potName)
for _, host := range taskCfg.ExtraHosts {
hostCommand = hostCommand + " -H " + host
hostCommand = hostCommand + " -H " + shellescape.Quote(host)
}
se.argvExtraHosts = hostCommand
}

//Set soft memory limit
memoryLimit := cfg.Resources.NomadResources.Memory.MemoryMB
sMemoryLimit := strconv.FormatInt(memoryLimit, 10)
argvMem := potBIN + " set-rss -M " + sMemoryLimit + "M -p " + potName
argvMem := shellescape.Quote(potBIN) + " set-rss -M " + sMemoryLimit + "M -p " + potName
se.argvMem = argvMem

argvStart := make([]string, 0, 50)
Expand Down

0 comments on commit 1fa712f

Please # to comment.