[sec] added quoted text path parsing (Closes #132)

- Special thanks to @kamade for the provided patch from which this commit was inspired!
ghantoos · Jul 22, 2016 · af8a24b · af8a24b
1 parent f55e004
commit af8a24b
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/lshell/sec.py b/lshell/sec.py
@@ -158,6 +158,22 @@ def check_secure(line, conf, strict=None, ssh=None):
     # strip all spaces/tabs
     line = " ".join(line.split())
 
+    # init return code
+    returncode = 0
+
+    # This logic is kept crudely simple on purpose.
+    # At most we might match the same stanza twice
+    # (for e.g. "'a'", 'a') but the converse would
+    # require detecting single quotation stanzas
+    # nested within double quotes and vice versa
+    relist = re.findall(r'[^=]\"(.+)\"', line)
+    relist2 = re.findall(r'[^=]\'(.+)\'', line)
+    relist = relist + relist2
+    for item in relist:
+        if os.path.exists(item):
+            ret_check_path, conf = check_path(item, conf, strict=strict)
+            returncode += ret_check_path
+
     # ignore quoted text
     line = re.sub(r'\"(.+?)\"', '', line)
     line = re.sub(r'\'(.+?)\'', '', line)
@@ -189,7 +205,6 @@ def check_secure(line, conf, strict=None, ssh=None):
                                        ssh=ssh)
                 return ret, conf
 
-    returncode = 0
     # check if the line contains $(foo) executions, and check them
     executions = re.findall('\$\([^)]+[)]', line)
     for item in executions:

diff --git a/test/test_functional.py b/test/test_functional.py
@@ -369,5 +369,21 @@ def test_26_cmd_completion_dot_slash(self):
 
         self.assertEqual(expected, result)
 
+    def test_27_checksecure_awk(self):
+        """ F27 | checksecure awk script with /bin/bash """
+        self.child = pexpect.spawn('%s/bin/lshell '
+                                   '--config %s/etc/lshell.conf '
+                                   '--allowed "+ [\'awk\']"'
+                                   % (TOPDIR, TOPDIR))
+        self.child.expect('%s:~\$' % self.user)
+
+        expected = u'*** forbidden path: /bin/bash'
+        self.child.sendline('awk \'BEGIN {system("/bin/bash")}\'')
+        self.child.expect('%s:~\$' % self.user)
+        result = self.child.before.decode('utf8').split('\n')[1].strip()
+
+        self.assertEqual(expected, result)
+
+
 if __name__ == '__main__':
     unittest.main()
diff --git a/test/words b/test/words
@@ -57,3 +57,4 @@ recurse
 sys
 tuples
 sigterm
+init