gh_mirrors/1Panel
1
0
Fork 0
mirror of https://github.com/1Panel-dev/1Panel.git synced 2025-01-31 22:18:07 +08:00
Code

fix: 解决终端连接注入漏洞问题

Browse Source
This commit is contained in:
ssongliu 2023-06-25 18:31:34 +08:00 committed by ssongliu
parent 57916ed6d7
commit f02f32456e
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
backend/app/api/v1/terminal.go
View File

@ -163,11 +163,11 @@ func (b *BaseApi) ContainerWsSsh(c *gin.Context) {
}
defer wsConn.Close()
cmds := fmt.Sprintf("docker exec %s %s", containerID, command)
cmds := []string{"exec", containerID, command}
if len(user) != 0 {
cmds = fmt.Sprintf("docker exec -u %s %s %s", user, containerID, command)
cmds = []string{"exec", "-u", user, containerID, command}
}
stdout, err := cmd.Exec(cmds)
stdout, err := cmd.ExecWithCheck("docker", cmds...)
if wshandleError(wsConn, errors.WithMessage(err, stdout)) {
return
}

4
backend/utils/terminal/local_cmd.go
View File

@ -8,6 +8,7 @@ import (
"unsafe"
"github.com/1Panel-dev/1Panel/backend/global"
"github.com/1Panel-dev/1Panel/backend/utils/cmd"
"github.com/creack/pty"
"github.com/pkg/errors"
)
@ -26,6 +27,9 @@ type LocalCommand struct {
}
func NewCommand(commands string) (*LocalCommand, error) {
if cmd.CheckIllegal(commands) {
return nil, errors.New("There are invalid characters in the command you're executing.")
}
cmd := exec.Command("sh", "-c", commands)
pty, err := pty.Start(cmd)