"IP address" parameter type

[CyrilKuzmin]

Hi guys,

the app is really wonderful! ..And I have 1,5 questions:
1/ Did someone faced with the necessity to verify if entered parameter is valid IPv4/IPv6 address? :)
I'm checking it by the separate py script, but I think it's worthy to be a parameter type...
1.5/ What is the best way to exclude the possibility of using "&&" operator? for example: "some_thing && kill -9 $(pgrep -f python)"

Thank you!

[bugy]

Hi @xxlaefxx,

IP address type makes sense and a nice idea, thanks! I'll add it

Regarding && operator (and any other bash operators): script server protects from it, a bit more details here: Shell commands injection. It will always be passed as a positional argument to your script and not executed on its own (even if you put it in script_path)

[CyrilKuzmin]

1/ Thank you in advance for IP addresses and this quick response! :)

1.5/ Yes, I read it and added double quotes (everywhere), but I got something like that in the beginning:

> 2018-10-24 23:47:12,425 [script_server.execution_service.INFO] Calling script #52: /opt/script-server/scripts/SimpleScript.sh -ip 192.168.1.19 && wall "I pwned myself"
> 2018-10-24 23:47:12,437 [tornado.access.INFO] 200 POST /scripts/execution (192.168.1.19) 62.43ms
> 2018-10-24 23:47:12,453 [tornado.access.INFO] 101 GET /scripts/execution/io/52 (192.168.1.19) 1.12ms
> 
> Broadcast message from nosudo@centostst3 (Wed Oct 24 23:47:14 2018):
> 
> I pwned myself
> 2018-10-24 23:47:15,073 [web_server.INFO] 192.168.1.19 disconnected
> 2018-10-24 23:47:15,076 [tornado.access.INFO] 200 POST /scripts/execution/cleanup/52 (192.168.1.19) 1.46ms

conf/runner/SimpleScript.json

  "parameters": [
    {
      "name": "IP address",
      "param": "-ip",
      "description": "Please enter a valid IP address"
    }
  ]

[bugy]

Hi @xxlaefxx,

I don't know how you parse and use incoming arguments, I tried to reproduce it locally and I couldn't. The test script I was using (it's without -ip, just a positional argument):

#!/bin/bash

param_unsafe=$1
param="$1"

ping -c 1 "$1"
ping -c 1 "$param_unsafe"
ping -c 1 "$param"
ping -c 1 $param

All pings and parameters initializations worked fine, without processing &&.
Only the last ping failed, but it tried to ping the part after && for some reasons

[CyrilKuzmin]

Ok, the reason was CentOS 6 and "latest" python34 installed.
It works perfect with the latest python 3.7 on all another servers :)

Spasibo!

[bugy]

Hi @xxlaefxx , thank you for getting back.
Could you still share the code (obfuscated if needed), how you work with parameters inside your script? Script server shouldn't allow such injections even on older distributions. If it does, then it's a critical issue.

[CyrilKuzmin]

Hi, @bugy
Sorry, but I've already upgraded my test env and modified all my test scripts... I'll try to restore and reproduce it later and let you know.
Previously it was something like:

#!/bin/bash
#my functions
key="$1"
case $key in
    -ip)
    IP="$2"
    ;;
    -hostname)
    IP=NslookupFunction("$2")
    ;;
    *)
    echo "unknown option"
    ;;
esac
MainFunction($IP)

[bugy]

Hi @xxlaefxx, thank you!

[bugy]

Added new parameter types:

• ip - IPv4 or IPv6
• ip4 - IPv4
• ip6 - IPv6

Validation is done on server and client side.

The dev build is available at https://github.com/bugy/script-server/releases/download/dev/script-server.zip