fix: 解决添加仓库注入漏洞问题

2025-10-31 19:26:02 +08:00 · 2023-06-25 18:31:21 +08:00 · 2023-06-25 18:31:21 +08:00 · 321ed00734
commit 321ed00734
parent 8ff160408f
2 changed files with 46 additions and 3 deletions
--- a/backend/app/service/image_repo.go
+++ b/backend/app/service/image_repo.go
@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 	"path"
 	"strings"
@ -149,7 +150,7 @@ func (u *ImageRepoService) Update(req dto.ImageRepoUpdate) error {
 	if repo.DownloadUrl != req.DownloadUrl || (!repo.Auth && req.Auth) {
 		_ = u.handleRegistries(req.DownloadUrl, repo.DownloadUrl, "update")
 		if repo.Auth {
-			_, _ = cmd.Execf("docker logout %s", repo.DownloadUrl)
+			_, _ = cmd.ExecWithCheck("docker", "logout", repo.DownloadUrl)
 		}
 		stdout, err := cmd.Exec("systemctl restart docker")
 		if err != nil {
@ -176,9 +177,9 @@ func (u *ImageRepoService) Update(req dto.ImageRepoUpdate) error {
 }
 func (u *ImageRepoService) CheckConn(host, user, password string) error {
-	stdout, err := cmd.Execf("docker login -u %s -p %s %s", user, password, host)
+	stdout, err := cmd.ExecWithCheck("docker", "login", "-u", user, "-p", password, host)
 	if err != nil {
-		return errors.New(string(stdout))
+		return fmt.Errorf("stdout: %s, stderr: %v", stdout, err)
 	}
 	if strings.Contains(string(stdout), "Login Succeeded") {
 		return nil
--- a/backend/utils/cmd/cmd.go
+++ b/backend/utils/cmd/cmd.go
@ -3,8 +3,10 @@ package cmd
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"os/exec"
 	"strings"
 	"time"
 	"github.com/1Panel-dev/1Panel/backend/buserr"
@ -117,6 +119,46 @@ func Execf(cmdStr string, a ...interface{}) (string, error) {
 	return stdout.String(), nil
 }
 func ExecWithCheck(name string, a ...string) (string, error) {
 	if CheckIllegal(a...) {
 		return "error exec !", errors.New("There are invalid characters in the command you're executing.")
 	}
 	cmd := exec.Command(name, a...)
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 	err := cmd.Run()
 	if err != nil {
 		errMsg := ""
 		if len(stderr.String()) != 0 {
 			errMsg = fmt.Sprintf("stderr: %s", stderr.String())
 		}
 		if len(stdout.String()) != 0 {
 			if len(errMsg) != 0 {
 				errMsg = fmt.Sprintf("%s; stdout: %s", errMsg, stdout.String())
 			} else {
 				errMsg = fmt.Sprintf("stdout: %s", stdout.String())
 			}
 		}
 		return errMsg, err
 	}
 	return stdout.String(), nil
 }
 func CheckIllegal(args ...string) bool {
 	if args == nil {
 		return false
 	}
 	for _, arg := range args {
 		if strings.Contains(arg, "&") || strings.Contains(arg, "|") || strings.Contains(arg, ";") ||
 			strings.Contains(arg, "$") || strings.Contains(arg, "'") || strings.Contains(arg, "`") ||
 			strings.Contains(arg, "(") || strings.Contains(arg, ")") || strings.Contains(arg, "\"") {
 			return true
 		}
 	}
 	return false
 }
 func HasNoPasswordSudo() bool {
 	cmd2 := exec.Command("sudo", "-n", "ls")
 	err2 := cmd2.Run()