diff options
| author | Joas Schilling <coding@schilljs.com> | 2020-04-20 10:20:52 +0300 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2020-04-20 10:20:52 +0300 |
| commit | d43f67ec2ecbe24ff0aa6f53e498c4965047bf98 (patch) | |
| tree | 4bde14705f6bbeb0031c07c706ea9d6540577e34 /lib | |
| parent | 296596ca32ec320ecee108311aa9c1d814991127 (diff) | |
Prevent adding hurtful commands
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/Command/Command/Add.php | 3 | ||||
| -rw-r--r-- | lib/Service/CommandService.php | 7 |
2 files changed, 10 insertions, 0 deletions
diff --git a/lib/Command/Command/Add.php b/lib/Command/Command/Add.php index beb17fa6b..cd2d24642 100644 --- a/lib/Command/Command/Add.php +++ b/lib/Command/Command/Add.php @@ -98,6 +98,9 @@ class Add extends Base { case 5: $output->writeln('<error>The enabled value is invalid</error>'); break; + case 6: + $output->writeln('<error>The placeholders {ROOM}, {USER} and {ARGUMENTS} must not be used inside quotes</error>'); + break; default: $output->writeln('<error>The command could not be added</error>'); break; diff --git a/lib/Service/CommandService.php b/lib/Service/CommandService.php index 2f40b3f9c..b7d147cd8 100644 --- a/lib/Service/CommandService.php +++ b/lib/Service/CommandService.php @@ -142,6 +142,13 @@ class CommandService { throw new \InvalidArgumentException('script', 3); } } else { + if (preg_match('/[`\'"]{(?:ARGUMENTS|ROOM|USER)}[`\'"]/i', $script)) { + throw new \InvalidArgumentException('script-parameters', 6); + } + if (strpos($script, '{ARGUMENTS_DOUBLEQUOTE_ESCAPED}') !== false) { + throw new \InvalidArgumentException('script-parameters', 6); + } + try { $this->shellExecutor->execShell($script, '--help'); } catch (\InvalidArgumentException $e) { |