Merge pull request from GHSA-r6v9-p59m-gj2p

Refactor pool upgrade handler - ubuntu 16.04
hyperledger · Sep 2, 2022 · fe50747 · fe50747
2 parents b894cc0 + 6215b99
commit fe50747
Show file tree

Hide file tree

Showing 6 changed files with 405 additions and 40 deletions.
diff --git a/indy_common/test/test_util.py b/indy_common/test/test_util.py
@@ -1,6 +1,8 @@
+import pytest
+
 from operator import itemgetter
 from indy_common.util import getIndex
-
+from indy_common.util import compose_cmd
 
 def test_getIndex():
     items = [('a', {'key1': 1}), ('b', {'key2': 2})]
@@ -12,3 +14,32 @@ def containsKey(key):
     assert 0 == getIndex(containsKey('key1'), items)
     assert 1 == getIndex(containsKey('key2'), items)
     assert -1 == getIndex(containsKey('key3'), items)
+
+@pytest.mark.parametrize(
+    'pkg_name,package',
+    [
+        pytest.param('some_package', 'some_package', id='some_package'),
+        pytest.param('package_1', 'package_1;echo "hi"&&echo "hello"\necho "hello world!"', id='strips mixed cmd concat'),
+        pytest.param('package_3', 'package_3;echo "hey"', id='strips semi-colon cmd concat'),
+        pytest.param('package_4', 'package_4&&echo "hey"', id='strips and cmd concat'),
+        pytest.param('package_5', 'package_5\necho "hey"', id='strips Cr cmd concat'),
+    ]
+)
+def test_compose_cmd(pkg_name, package):
+    expected_cmd = f'dpkg -s {pkg_name}'
+
+    cmd = compose_cmd(['dpkg', '-s', package])
+    assert expected_cmd == cmd
+
+def test_compose_cmd_allows_whitespace():
+    pkg_name = 'package_7 some_other_package'
+    expected_cmd = f'dpkg -s {pkg_name}'
+    cmd = compose_cmd(['dpkg', '-s', pkg_name])
+    assert expected_cmd == cmd
+
+def test_compose_cmd_allows_pipe():
+    expected_cmd = 'dpkg --get-selections | grep -v deinstall | cut -f1'
+    cmd = compose_cmd(
+        ['dpkg', '--get-selections', '|', 'grep', '-v', 'deinstall', '|', 'cut', '-f1']
+    )
+    assert expected_cmd == cmd
diff --git a/indy_common/util.py b/indy_common/util.py
@@ -1,6 +1,7 @@
 import datetime
 import os
 import random
+import re
 from typing import Tuple, Union, TypeVar, List, Callable
 
 import libnacl.secret
@@ -143,6 +144,7 @@ def getIndex(predicateFn: Callable[[T], bool], items: List[T]) -> int:
 def compose_cmd(cmd):
     if os.name != 'nt':
         cmd = ' '.join(cmd)
+        cmd = re.split(";|&&", cmd.splitlines()[0], 1)[0].rstrip()
     return cmd
 
 

diff --git a/indy_node/server/request_handlers/config_req_handlers/pool_upgrade_handler.py b/indy_node/server/request_handlers/config_req_handlers/pool_upgrade_handler.py
@@ -1,3 +1,5 @@
+import re
+
 from typing import Optional
 
 from indy_common.authorize.auth_actions import AuthActionAdd, AuthActionEdit
@@ -52,22 +54,6 @@ def additional_dynamic_validation(self, request: Request, req_pp_time: Optional[
         self._validate_request_type(request)
         identifier, req_id, operation = get_request_data(request)
         status = '*'
-
-        pkg_to_upgrade = operation.get(PACKAGE, getConfig().UPGRADE_ENTRY)
-        targetVersion = operation[VERSION]
-        reinstall = operation.get(REINSTALL, False)
-
-        if not pkg_to_upgrade:
-            raise InvalidClientRequest(identifier, req_id, "Upgrade package name is empty")
-
-        try:
-            res = self.upgrader.check_upgrade_possible(pkg_to_upgrade, targetVersion, reinstall)
-        except Exception as exc:
-            res = str(exc)
-
-        if res:
-            raise InvalidClientRequest(identifier, req_id, res)
-
         action = operation.get(ACTION)
         # TODO: Some validation needed for making sure name and version
         # present
@@ -99,6 +85,22 @@ def additional_dynamic_validation(self, request: Request, req_pp_time: Optional[
         self.write_req_validator.validate(request,
                                           [auth_action])
 
+        pkg_to_upgrade = operation.get(PACKAGE, getConfig().UPGRADE_ENTRY)
+        if not pkg_to_upgrade:
+            raise InvalidClientRequest(identifier, req_id, "Upgrade package name is empty")
+
+        # Only allow processing of a single package
+        pkg_to_upgrade = re.split("\s+|;|&&|\|", pkg_to_upgrade.splitlines()[0], 1)[0].rstrip()
+        targetVersion = operation[VERSION]
+        reinstall = operation.get(REINSTALL, False)
+        try:
+            res = self.upgrader.check_upgrade_possible(pkg_to_upgrade, targetVersion, reinstall)
+        except Exception as exc:
+            res = str(exc)
+
+        if res:
+            raise InvalidClientRequest(identifier, req_id, res)
+
     def apply_forced_request(self, req: Request):
         super().apply_forced_request(req)
         txn = self._req_to_txn(req)