Skip to content

Commit

Permalink
fix: security issue in command runner (closes #1621)
Browse files Browse the repository at this point in the history
  • Loading branch information
@o1egl
o1egl committed Oct 31, 2021
1 parent 6cb51b4 commit 74b7cd8
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions http/commands.go
View file
Expand Up @@ -59,19 +59,19 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d
}
}

if !d.server.EnableExec || !d.user.CanExecute(strings.Split(raw, " ")[0]) {
if err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed); err != nil { //nolint:govet
command, err := runner.ParseCommand(d.settings, raw)
if err != nil {
if err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error())); err != nil { //nolint:govet
wsErr(conn, r, http.StatusInternalServerError, err)
}

return 0, nil
}

command, err := runner.ParseCommand(d.settings, raw)
if err != nil {
if err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error())); err != nil { //nolint:govet
if !d.server.EnableExec || !d.user.CanExecute(command[0]) {
if err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed); err != nil { //nolint:govet
wsErr(conn, r, http.StatusInternalServerError, err)
}

return 0, nil
}

Expand Down

0 comments on commit 74b7cd8

Please sign in to comment.