修复插件shell命令注入漏洞 - 通过实例信息注入

hhyo · Jan 5, 2022 · abda4c1 · abda4c1
1 parent 98e353a
commit abda4c1
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 10 deletions.
diff --git a/sql/binlog.py b/sql/binlog.py
@@ -4,6 +4,7 @@
 import os
 import time
 import traceback
+import shlex
 
 import simplejson as json
 from django.conf import settings
@@ -112,7 +113,8 @@ def binlog2sql(request):
     # 提交给binlog2sql进行解析
     binlog2sql = Binlog2Sql()
     # 准备参数
-    args = {"conn_options": fr"-h{instance.host} -u{instance.user} -p'{instance.password}' -P{instance.port} ",
+    args = {"conn_options": fr"-h{shlex.quote(str(instance.host))} -u{shlex.quote(str(instance.user))} \
+                -p'{shlex.quote(str(instance.password))}' -P{shlex.quote(str(instance.port))} ",
             "stop_never": False,
             "no-primary-key": no_pk,
             "flashback": flashback,
@@ -190,7 +192,8 @@ def binlog2sql_file(args, user):
     """
     binlog2sql = Binlog2Sql()
     instance = args.get('instance')
-    conn_options = fr"-h{instance.host} -u{instance.user} -p'{instance.password}' -P{instance.port}"
+    conn_options = fr"-h{shlex.quote(str(instance.host))} -u{shlex.quote(str(instance.user))} \
+                -p'{shlex.quote(str(instance.password))}' -P{shlex.quote(str(instance.port))} ",
     args['conn_options'] = conn_options
     timestamp = int(time.time())
     path = os.path.join(settings.BASE_DIR, 'downloads/binlog2sql/')

diff --git a/sql/instance.py b/sql/instance.py
@@ -201,15 +201,15 @@ def schemasync(request):
         "sync-comments": sync_comments,
         "tag": tag,
         "output-directory": output_directory,
-        "source": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=instance_info.user,
-                                                                            pwd=instance_info.password,
-                                                                            host=instance_info.host,
-                                                                            port=instance_info.port,
+        "source": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=shlex.quote(str(instance_info.user)),
+                                                                            pwd=shlex.quote(str(instance_info.password)),
+                                                                            host=shlex.quote(str(instance_info.host)),
+                                                                            port=shlex.quote(str(instance_info.port)),
                                                                             database=db_name),
-        "target": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=target_instance_info.user,
-                                                                            pwd=target_instance_info.password,
-                                                                            host=target_instance_info.host,
-                                                                            port=target_instance_info.port,
+        "target": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=shlex.quote(str(target_instance_info.user)),
+                                                                            pwd=shlex.quote(str(target_instance_info.password)),
+                                                                            host=shlex.quote(str(target_instance_info.host)),
+                                                                            port=shlex.quote(str(target_instance_info.port)),
                                                                             database=target_db_name)
     }
     # 参数检查