Sanitize input of qalculate
Signed-off-by: trivernis <trivernis@protonmail.com>pull/2/head
parent
9d4ed2dfb5
commit
8f98399ea9
@ -1,8 +1,9 @@
|
||||
use crate::utils::error::BotResult;
|
||||
use crate::utils::run_command_async;
|
||||
use crate::utils::process::{run_command_async, sanitize_argument};
|
||||
|
||||
/// Runs the qalc command with the given expression
|
||||
pub async fn qalc(expression: &str) -> BotResult<String> {
|
||||
let result = run_command_async("qalc", &[expression]).await?;
|
||||
let expression = sanitize_argument(expression, true)?;
|
||||
let result = run_command_async("qalc", &[&*expression]).await?;
|
||||
Ok(result)
|
||||
}
|
||||
|
@ -0,0 +1,51 @@
|
||||
use crate::utils::error::{BotError, BotResult};
|
||||
use regex::Regex;
|
||||
use std::io;
|
||||
use std::process::Stdio;
|
||||
use tokio::io::AsyncReadExt;
|
||||
use tokio::process::Command;
|
||||
|
||||
/// Asynchronously runs a given command and returns the output
|
||||
pub async fn run_command_async(command: &str, args: &[&str]) -> io::Result<String> {
|
||||
log::trace!("Running command '{}' with args {:?}", command, args);
|
||||
let cmd = Command::new(command)
|
||||
.args(args)
|
||||
.stdout(Stdio::piped())
|
||||
.stderr(Stdio::piped())
|
||||
.spawn()?;
|
||||
let mut stderr = String::new();
|
||||
let mut output = String::new();
|
||||
cmd.stderr.unwrap().read_to_string(&mut stderr).await?;
|
||||
if stderr.len() != 0 {
|
||||
log::debug!("STDERR of command {}: {}", command, stderr);
|
||||
}
|
||||
cmd.stdout.unwrap().read_to_string(&mut output).await?;
|
||||
log::trace!("Command output is {}", output);
|
||||
|
||||
Ok(output)
|
||||
}
|
||||
|
||||
/// Sanitizes a command line argument and throws an error
|
||||
/// on a possible injection attempt
|
||||
pub fn sanitize_argument(arg: &str, detect_help: bool) -> BotResult<String> {
|
||||
log::debug!("Sanitizing argument '{}'", arg);
|
||||
lazy_static::lazy_static! {
|
||||
static ref HELP_FLAG: Regex = Regex::new(r"^\s*(-*)h(elp)?\s*$").unwrap();
|
||||
static ref FLAG_REGEX: Regex = Regex::new(r"^\s*-\w*\s*$").unwrap();
|
||||
}
|
||||
if FLAG_REGEX.is_match(arg) {
|
||||
log::debug!("Detected STDIN injection");
|
||||
return Err(BotError::CliInject);
|
||||
}
|
||||
if detect_help && HELP_FLAG.is_match(arg) {
|
||||
log::debug!("Detected help injection");
|
||||
return Err(BotError::CliInject);
|
||||
}
|
||||
let arg = arg.replace("--", "\\-\\-");
|
||||
if arg.is_empty() {
|
||||
return Err(BotError::CliInject);
|
||||
}
|
||||
log::debug!("Sanitized argument is '{}'", arg);
|
||||
|
||||
Ok(arg)
|
||||
}
|
Loading…
Reference in New Issue