Added support for running raw commands on a collection #939
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| const fun = match[1]; | ||
| if (typeof req.collection[fun] === 'function') { | ||
| const args = match[2].split(',').map((s) => eval(`(${s})`)); |
Check failure
Code scanning / CodeQL
Code injection
| @@ -130,6 +130,43 @@ | |||
|
|
|||
| // view all entries in a collection | |||
| exp.viewCollection = async function (req, res) { | |||
| if (req.query.command) { | |||
| try { | |||
| const match = /^(.*?)\s*\((.*)\)\s*$/.exec(req.query.command); | |||
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data
|
This seems pretty dangerous. This should be off by default and we can't trust the UI to disable it. |
| @@ -138,6 +138,7 @@ You can use the following [environment variables](https://docs.docker.com/refere | |||
| `ME_CONFIG_OPTIONS_FULLWIDTH_LAYOUT` | `false` | if set to true an alternative page layout is used utilizing full window width. | |||
| `ME_CONFIG_OPTIONS_PERSIST_EDIT_MODE` | `false` | if set to true, remain on same page after clicked on Save button | |||
| `ME_CONFIG_OPTIONS_NO_DELETE` | `false` | if noDelete is true, components of deleting are not visible. | |||
| `ME_CONFIG_OPTIONS_NO_RAW_COMMAND`| `false` | if noRawCommand is true, the Raw tab in collection view is not visible. | |||
There was a problem hiding this comment.
Maybe this should be called something else to highlight how risky this is. ME_CONFIG_OPTIONS_ALLOW_CODE_INJECTION? Default must be not to allow it.
|
Instead of allow this by default, we should only allow with a flag that should be explicitly enabled by the user. So in case of want use "insecure" eval raw commands it is because they choose that option, but this will not be ship as enabled by default |
This change is
Replace #613 (contains some info) and #938