修复插件shell命令注入漏洞

hhyo · Jan 5, 2022 · 98e353a · 98e353a
1 parent af13722
commit 98e353a
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/sql/plugins/binglog2sql.py b/sql/plugins/binglog2sql.py
@@ -33,7 +33,7 @@ def generate_args2cmd(self, args, shell):
                          'start-datetime', 'stop-datetime']
         filter_options = ['databases', 'tables', 'only-dml', 'sql-type']
         if shell:
-            cmd_args = f'python {self.path}' if self.path else ''
+            cmd_args = f'python {shlex.quote(str(self.path))}' if self.path else ''
             for name, value in args.items():
                 if name in conn_options:
                     cmd_args += f' {value}'

diff --git a/sql/plugins/soar.py b/sql/plugins/soar.py
@@ -28,7 +28,7 @@ def generate_args2cmd(self, args, shell):
         :return:
         """
         if shell:
-            cmd_args = self.path if self.path else ''
+            cmd_args = shlex.quote(str(self.path)) if self.path else ''
             for name, value in args.items():
                 cmd_args += f" -{name}={shlex.quote(str(value))}"
         else:

diff --git a/sql/plugins/sqladvisor.py b/sql/plugins/sqladvisor.py
@@ -27,7 +27,7 @@ def generate_args2cmd(self, args, shell):
         :return:
         """
         if shell:
-            cmd_args = self.path if self.path else ''
+            cmd_args = shlex.quote(str(self.path)) if self.path else ''
             for name, value in args.items():
                 cmd_args += f" -{name} {shlex.quote(str(value))}"
         else: