From dbb25f7288be2c9d2afe796d63d1a070e353daca Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 8 Nov 2016 16:48:58 +0100 Subject: k 5 Reaktor: harden sed-plugin --- krebs/5pkgs/Reaktor/plugins.nix | 2 +- krebs/5pkgs/Reaktor/scripts/sed-plugin.py | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/krebs/5pkgs/Reaktor/plugins.nix b/krebs/5pkgs/Reaktor/plugins.nix index a483db32c..242373ced 100644 --- a/krebs/5pkgs/Reaktor/plugins.nix +++ b/krebs/5pkgs/Reaktor/plugins.nix @@ -59,7 +59,7 @@ rec { }; sed-plugin = buildSimpleReaktorPlugin "sed-plugin" { - path = [ pkgs.gnused pkgs.python3 ]; + path = [ pkgs.gnused pkgs.proot pkgs.python3 ]; # only support s///gi the plugin needs to see every msg # TODO: this will eat up the last regex, fix Reaktor to support fallthru append_rule = true; diff --git a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py index 8103c9585..6039aeb43 100644 --- a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py +++ b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py @@ -34,9 +34,22 @@ if m: flagstr = '' last = d.get(usr,None) if last: - #print(re.sub(fn,tn,last,count=count,flags=flags)) from subprocess import Popen,PIPE - p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE ) + import shutil + from os.path import realpath + # sed only needs stdin/stdout, we protect state_dir with this + # input to read/write arbitrary files: + # s/.\/\/; w /tmp/i (props to waldi) + # conclusion: sed is untrusted and we handle it like this + p = Popen(['proot', + # '-v','1', + '-w','/', # cwd is root + '-b','/nix/store', # mount important folders + '-b','/usr', + '-b','/bin', + '-r','/var/empty', # chroot to /var/empty + realpath(shutil.which('sed')), + 's/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE ) so,se = p.communicate(bytes("{}\n".format(last),"UTF-8")) if p.returncode: print("something went wrong when trying to process your regex: {}".format(se.decode())) -- cgit v1.2.3