From 0909dac3c032f23bf6335ae00f36f89e1f8408dd Mon Sep 17 00:00:00 2001 From: Jesusaves Date: Mon, 30 Aug 2021 15:10:41 -0300 Subject: Add the subproc sanitizer to lite.py --- .gitlab-ci.yml | 2 ++ lite.py | 9 ++++++++- rparse.py | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ef49cb6..744bc61 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -32,4 +32,6 @@ bandit-sast: - cp game/*.rpy debug/ - cp game/*/*.rpy debug/ - python rparse.py + - mv debug/*-sast.py . + - sleep 10 diff --git a/lite.py b/lite.py index 38ecff7..b4a5516 100755 --- a/lite.py +++ b/lite.py @@ -45,6 +45,13 @@ def ifte(ifs, then, elses): else: return elses +# Sanitize a command (strip some flow control chars) +# While it covers all control operators and most metacharacters, +# it doesn't covers well the reserved words. +# ...Of course, it relies on this client not being compromised. +def san(cmd): + return cmd.replace(";", "").replace("|", "").replace(">", "").replace("<", "").replace("&", "").replace("(", "").replace(")", "").replace("\n", "").replace("[[", "").replace("]]", "") + # Returns number of seconds since UNIX EPOCH def now(): return int(time.time()) @@ -162,7 +169,7 @@ def launch_game(idx): OPT="-s %s -y evol2 -p %s -S" % (HOST, PORT) ## Execute the app - app=execute("%s %s%s" % (CMD, OPT, PWD), shell=True) + app=execute(san("%s %s%s" % (CMD, OPT, PWD)), shell=True) # nosec return app diff --git a/rparse.py b/rparse.py index 655582b..098abae 100644 --- a/rparse.py +++ b/rparse.py @@ -29,4 +29,4 @@ for f in os.listdir(os.getcwd()+"/debug"): ft.write(" "+l.replace("$", "").lstrip()) ft.close() -subprocess.call("ls \"%s\"" % os.getcwd()+"/debug", shell=True) +subprocess.call("ls \"%s\"" % os.getcwd()+"/debug", shell=True) # nosec -- cgit v1.2.3-70-g09d2