fix: 解决终端连接注入漏洞问题

ssongliu · ssongliu · commit f02f32456e5e · 2023-06-25T18:34:16.000+08:00
diff --git a/backend/app/api/v1/terminal.go b/backend/app/api/v1/terminal.go
@@ -163,11 +163,11 @@ func (b *BaseApi) ContainerWsSsh(c *gin.Context) {
 	}
 	defer wsConn.Close()
 
-	cmds := fmt.Sprintf("docker exec %s %s", containerID, command)
+	cmds := []string{"exec", containerID, command}
 	if len(user) != 0 {
-		cmds = fmt.Sprintf("docker exec -u %s %s %s", user, containerID, command)
+		cmds = []string{"exec", "-u", user, containerID, command}
 	}
-	stdout, err := cmd.Exec(cmds)
+	stdout, err := cmd.ExecWithCheck("docker", cmds...)
 	if wshandleError(wsConn, errors.WithMessage(err, stdout)) {
 		return
 	}
diff --git a/backend/utils/terminal/local_cmd.go b/backend/utils/terminal/local_cmd.go
@@ -8,6 +8,7 @@ import (
 	"unsafe"
 
 	"github.com/1Panel-dev/1Panel/backend/global"
+	"github.com/1Panel-dev/1Panel/backend/utils/cmd"
 	"github.com/creack/pty"
 	"github.com/pkg/errors"
 )
@@ -26,6 +27,9 @@ type LocalCommand struct {
 }
 
 func NewCommand(commands string) (*LocalCommand, error) {
+	if cmd.CheckIllegal(commands) {
+		return nil, errors.New("There are invalid characters in the command you're executing.")
+	}
 	cmd := exec.Command("sh", "-c", commands)
 
 	pty, err := pty.Start(cmd)

Original file line number	Diff line number	Diff line change
`@@ -163,11 +163,11 @@ func (b BaseApi) ContainerWsSsh(c gin.Context) {`
`163`	`163`	`}`
`164`	`164`	`defer wsConn.Close()`
`165`	`165`
`166`		`- cmds := fmt.Sprintf("docker exec %s %s", containerID, command)`
	`166`	`+ cmds := []string{"exec", containerID, command}`
`167`	`167`	`if len(user) != 0 {`
`168`		`- cmds = fmt.Sprintf("docker exec -u %s %s %s", user, containerID, command)`
	`168`	`+ cmds = []string{"exec", "-u", user, containerID, command}`
`169`	`169`	`}`
`170`		`- stdout, err := cmd.Exec(cmds)`
	`170`	`+ stdout, err := cmd.ExecWithCheck("docker", cmds...)`
`171`	`171`	`if wshandleError(wsConn, errors.WithMessage(err, stdout)) {`
`172`	`172`	`return`
`173`	`173`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"unsafe"`
`9`	`9`
`10`	`10`	`"github.com/1Panel-dev/1Panel/backend/global"`
	`11`	`+ "github.com/1Panel-dev/1Panel/backend/utils/cmd"`
`11`	`12`	`"github.com/creack/pty"`
`12`	`13`	`"github.com/pkg/errors"`
`13`	`14`	`)`
`@@ -26,6 +27,9 @@ type LocalCommand struct {`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`func NewCommand(commands string) (*LocalCommand, error) {`
	`30`	`+ if cmd.CheckIllegal(commands) {`
	`31`	`+ return nil, errors.New("There are invalid characters in the command you're executing.")`
	`32`	`+ }`
`29`	`33`	`cmd := exec.Command("sh", "-c", commands)`
`30`	`34`
`31`	`35`	`pty, err := pty.Start(cmd)`