Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-11-06 21:35:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

command injection check in some fm functions

Browse Source
This commit is contained in:
Usman Nasir
2020-02-07 21:26:55 +05:00
parent f1bf99f91e
commit 0df1ede02a
3 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CyberCP/secMiddleware.py
View File

@@ -45,6 +45,7 @@ class secMiddleware:
return HttpResponse(final_json) return HttpResponse(final_json)
except: except:
pass pass
if request.method == 'POST': if request.method == 'POST':
try: try:
#logging.writeToFile(request.body) #logging.writeToFile(request.body)

12
filemanager/filemanager.py
View File

@@ -6,7 +6,7 @@ from websiteFunctions.models import Websites
from random import randint from random import randint
from django.core.files.storage import FileSystemStorage from django.core.files.storage import FileSystemStorage
import html.parser import html.parser
import os from plogical.acl import ACLManager
class FileManager: class FileManager:
def __init__(self, request, data): def __init__(self, request, data):
@@ -332,11 +332,8 @@ class FileManager:
writeToFile.write(self.data['fileContent'].encode('utf-8')) writeToFile.write(self.data['fileContent'].encode('utf-8'))
writeToFile.close() writeToFile.close()
command = 'ls -la %s' % (self.data['fileName']) if ACLManager.commandInjectionCheck(self.data['fileName']) == 1:
output = ProcessUtilities.outputExecutioner(command) return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
if output.find('lrwxrwxrwx') > -1 and output.find('->') > -1:
return self.ajaxPre(0, 'File exists and is symlink.')
if self.data['fileName'].find(self.data['home']) == -1 or self.data['fileName'].find('..') > -1: if self.data['fileName'].find(self.data['home']) == -1 or self.data['fileName'].find('..') > -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
@@ -368,6 +365,9 @@ class FileManager:
finalData['fileName'] = fs.url(filename) finalData['fileName'] = fs.url(filename)
pathCheck = '/home/%s' % (self.data['domainName']) pathCheck = '/home/%s' % (self.data['domainName'])
if ACLManager.commandInjectionCheck(self.data['completePath'] + '/' + myfile.name) == 1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
if (self.data['completePath'] + '/' + myfile.name).find(pathCheck) == -1 or ((self.data['completePath'] + '/' + myfile.name)).find('..') > -1: if (self.data['completePath'] + '/' + myfile.name).find(pathCheck) == -1 or ((self.data['completePath'] + '/' + myfile.name)).find('..') > -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')

11
plogical/acl.py
View File

@@ -17,6 +17,17 @@ from dockerManager.models import Containers
class ACLManager: class ACLManager:
@staticmethod
def commandInjectionCheck(value):
if value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
"{") > -1 or value.find("}") > -1 \
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
return 1
else:
return 0
@staticmethod @staticmethod
def loadedACL(val): def loadedACL(val):