Merge pull request #113 from laowantong/fix-RCE-vulnerabilities

Fix RCE vulnerabilities
laowantong · May 9, 2024 · f9368df · f9368df
2 parents 3ef367a + 8eb7b87
commit f9368df
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/mocodo/__init__.py b/mocodo/__init__.py
@@ -1,7 +1,7 @@
 from pathlib import Path
 from importlib import import_module
 
-__version__ = "4.2.6"
+__version__ = "4.2.7"
 SCRIPT_DIRECTORY = Path(__file__).resolve().parent
 
 

diff --git a/web/generate.php b/web/generate.php
@@ -106,7 +106,7 @@
   $conversions = array();
   foreach ($_POST['conversions'] as $ext) {
     if ($ext == "_ddl.sql") {
-      $transformation_options .= " " . $_POST['sql_case'] . ":labels";
+      $transformation_options .= " " . escapeshellarg($_POST["sql_case"]) . ":labels";
     };
     if ($_POST['with_constraints']) {
       $option = $transformations[str_replace("_mld", "_mld_with_constraints", $ext)];
@@ -136,7 +136,7 @@
   );
   foreach ($default_option_values as $option => $default_value) {
     if (isset($_POST[$option]) && ($_POST[$option] != $default_value)) {
-      $basthon_options .= " --{$option}=" . $_POST[$option];
+      $basthon_options .= " --{$option}=" . escapeshellarg($_POST[$option]);
     };
   };
   $basthon_options = substr($basthon_options, 1); // strip the first space

diff --git a/web/rewrite.php b/web/rewrite.php
@@ -42,7 +42,7 @@
   } else {
     $mocodo = "~/.local/bin/mocodo";
 };
-$command_line = "{$mocodo} -t " . $_POST['args'] . " 2>&1";
+$command_line = "{$mocodo} -t " . escapeshellarg($_POST['args']) . " 2>&1"; //
 
 // Execute the command and test the exit code.
 // If it is not 0, return an array with a key "err" and the error message.