New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for running raw commands on a collection #939
base: master
Are you sure you want to change the base?
Conversation
|
||
const fun = match[1]; | ||
if (typeof req.collection[fun] === 'function') { | ||
const args = match[2].split(',').map((s) => eval(`(${s})`)); |
Check failure
Code scanning / CodeQL
Code injection
@@ -130,6 +130,43 @@ | |||
|
|||
// view all entries in a collection | |||
exp.viewCollection = async function (req, res) { | |||
if (req.query.command) { | |||
try { | |||
const match = /^(.*?)\s*\((.*)\)\s*$/.exec(req.query.command); |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data
This seems pretty dangerous. This should be off by default and we can't trust the UI to disable it. |
@@ -138,6 +138,7 @@ You can use the following [environment variables](https://docs.docker.com/refere | |||
`ME_CONFIG_OPTIONS_FULLWIDTH_LAYOUT` | `false` | if set to true an alternative page layout is used utilizing full window width. | |||
`ME_CONFIG_OPTIONS_PERSIST_EDIT_MODE` | `false` | if set to true, remain on same page after clicked on Save button | |||
`ME_CONFIG_OPTIONS_NO_DELETE` | `false` | if noDelete is true, components of deleting are not visible. | |||
`ME_CONFIG_OPTIONS_NO_RAW_COMMAND`| `false` | if noRawCommand is true, the Raw tab in collection view is not visible. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this should be called something else to highlight how risky this is. ME_CONFIG_OPTIONS_ALLOW_CODE_INJECTION? Default must be not to allow it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree
Instead of allow this by default, we should only allow with a flag that should be explicitly enabled by the user. So in case of want use "insecure" eval raw commands it is because they choose that option, but this will not be ship as enabled by default |
This change is
Replace #613 (contains some info) and #938