#447 - Resolve escaping

app/server/index.go

@@ -1,5 +1,7 @@
 package main
 
+import "regexp"
+
 import (
 	"bytes"
 	"flag"
@@ -22,6 +24,20 @@ func main() {
 	http.Handle("/", http.FileServer(http.Dir(*staticPath)))
 	http.HandleFunc("/server/", func(w http.ResponseWriter, r *http.Request) {
 		module := r.URL.Query().Get("module")
+
+		// Escape the contents of the variable "module" so that no shell command can leak.
+		r = regexp.MustCompile("\\")
+		module = r.ReplaceAllString(module, "\\\\")
+
+		r = regexp.MustCompile("\"")
+		module = r.ReplaceAllString(module, "\\\"")
+
+		r = regexp.MustCompile("`")
+		module = r.ReplaceAllString(module, "\`")
+
+		r = regexp.MustCompile("\$")
+		module = r.ReplaceAllString(module, "\\$")
+
 		if module == "" {
 			http.Error(w, "No module specified, or requested module doesn't exist.", 406)
 			return

app/server/index.js

@@ -33,6 +33,10 @@ wsServer = new ws({
 var nixJsonAPIScript = __dirname + '/linux_json_api.sh'
 
 function getPluginData(pluginName, callback) {
+  // Escape the module.
+  pluginName = pluginName.replace(/([\\"\$`\(\)])+/g, "\\$1");
+
+  // Then, after escaping the module, spawn the command.
   var command = spawn(nixJsonAPIScript, [ pluginName, '' ])
   var output  = []
 

app/server/index.py

@@ -26,6 +26,15 @@ def do_GET(self):
             contentType = 'text/html'
             if self.path.startswith("/server/"):
                 module = self.path.split('=')[1]
+                module = '%s' % (
+                    module
+                    .replace('\\', '\\\\')
+                    .replace('(', '\\(')
+                    .replace(')', '\\)')
+                    .replace('"', '\\"')
+                    .replace('$', '\\$')
+                    .replace('`', '\\`')
+                )
                 output = subprocess.Popen(
                     appRootPath + modulesSubPath + " " + module,
                     shell = True,