diff options
| -rw-r--r-- | .gitlab-ci.yml | 2 | ||||
| -rwxr-xr-x | lite.py | 9 | ||||
| -rw-r--r-- | rparse.py | 2 |
3 files changed, 11 insertions, 2 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ef49cb6..744bc61 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -32,4 +32,6 @@ bandit-sast: - cp game/*.rpy debug/ - cp game/*/*.rpy debug/ - python rparse.py + - mv debug/*-sast.py . + - sleep 10 @@ -45,6 +45,13 @@ def ifte(ifs, then, elses): else: return elses +# Sanitize a command (strip some flow control chars) +# While it covers all control operators and most metacharacters, +# it doesn't covers well the reserved words. +# ...Of course, it relies on this client not being compromised. +def san(cmd): + return cmd.replace(";", "").replace("|", "").replace(">", "").replace("<", "").replace("&", "").replace("(", "").replace(")", "").replace("\n", "").replace("[[", "").replace("]]", "") + # Returns number of seconds since UNIX EPOCH def now(): return int(time.time()) @@ -162,7 +169,7 @@ def launch_game(idx): OPT="-s %s -y evol2 -p %s -S" % (HOST, PORT) ## Execute the app - app=execute("%s %s%s" % (CMD, OPT, PWD), shell=True) + app=execute(san("%s %s%s" % (CMD, OPT, PWD)), shell=True) # nosec return app @@ -29,4 +29,4 @@ for f in os.listdir(os.getcwd()+"/debug"): ft.write(" "+l.replace("$", "").lstrip()) ft.close() -subprocess.call("ls \"%s\"" % os.getcwd()+"/debug", shell=True) +subprocess.call("ls \"%s\"" % os.getcwd()+"/debug", shell=True) # nosec |