Permalink
Show file tree
Hide file tree
7 changes: 4 additions & 3 deletions
7
...ab.binding.exec/src/main/java/org/openhab/binding/exec/internal/ExecBindingConstants.java
24 changes: 17 additions & 7 deletions
24
...nhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/ExecHandlerFactory.java
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request from GHSA-w698-693g-23hv
* fix arbitrary code execution vulnerability Signed-off-by: Jan N. Klug <jan.n.klug@rub.de> * Update bundles/org.openhab.binding.exec/src/main/java/org/openhab/binding/exec/internal/handler/ExecHandler.java Co-Authored-By: Christoph Weitkamp <github@christophweitkamp.de> * address review comments Signed-off-by: Jan N. Klug <jan.n.klug@rub.de> Co-authored-by: Christoph Weitkamp <github@christophweitkamp.de>
- Loading branch information
Showing
9 changed files
with
397 additions
and
195 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
81 changes: 81 additions & 0 deletions
81
...nding.exec/src/main/java/org/openhab/binding/exec/internal/ExecWhitelistWatchService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| /** | ||
| * Copyright (c) 2010-2020 Contributors to the openHAB project | ||
| * | ||
| * See the NOTICE file(s) distributed with this work for additional | ||
| * information. | ||
| * | ||
| * This program and the accompanying materials are made available under the | ||
| * terms of the Eclipse Public License 2.0 which is available at | ||
| * http://www.eclipse.org/legal/epl-2.0 | ||
| * | ||
| * SPDX-License-Identifier: EPL-2.0 | ||
| */ | ||
| package org.openhab.binding.exec.internal; | ||
|
|
||
| import org.eclipse.jdt.annotation.NonNullByDefault; | ||
| import org.eclipse.jdt.annotation.Nullable; | ||
| import org.eclipse.smarthome.config.core.ConfigConstants; | ||
| import org.eclipse.smarthome.core.service.AbstractWatchService; | ||
| import org.osgi.service.component.annotations.Activate; | ||
| import org.osgi.service.component.annotations.Component; | ||
|
|
||
| import java.io.File; | ||
| import java.io.IOException; | ||
| import java.nio.file.Files; | ||
| import java.nio.file.Path; | ||
| import java.nio.file.WatchEvent; | ||
| import java.util.HashSet; | ||
| import java.util.Set; | ||
|
|
||
| import static java.nio.file.StandardWatchEventKinds.*; | ||
|
|
||
| /** | ||
| * The {@link ExecWhitelistWatchService} provides a whitelist check for exec commands | ||
| * | ||
| * @author Jan N. Klug - Initial contribution | ||
| */ | ||
| @Component(service = ExecWhitelistWatchService.class) | ||
| @NonNullByDefault | ||
| public class ExecWhitelistWatchService extends AbstractWatchService { | ||
| private static final String COMMAND_WHITELIST_PATH = ConfigConstants.getConfigFolder() + File.separator + "misc"; | ||
| private static final String COMMAND_WHITELIST_FILE = "exec.whitelist"; | ||
| private final Set<String> commandWhitelist = new HashSet<>(); | ||
|
|
||
| @Activate | ||
| public ExecWhitelistWatchService() { | ||
| super(COMMAND_WHITELIST_PATH); | ||
| } | ||
|
|
||
| @Override | ||
| protected boolean watchSubDirectories() { | ||
| return false; | ||
| } | ||
|
|
||
| @Override | ||
| protected WatchEvent.Kind<?>[] getWatchEventKinds(@Nullable Path directory) { | ||
| return new WatchEvent.Kind<?>[] { ENTRY_CREATE, ENTRY_DELETE, ENTRY_MODIFY }; | ||
| } | ||
|
|
||
| @Override | ||
| protected void processWatchEvent(@Nullable WatchEvent<?> event, WatchEvent.@Nullable Kind<?> kind, @Nullable Path path) { | ||
| if (path.endsWith(COMMAND_WHITELIST_FILE)) { | ||
| commandWhitelist.clear(); | ||
| try { | ||
| Files.lines(path).forEach(commandWhitelist::add); | ||
| logger.debug("Updated command whitelist: {}", commandWhitelist); | ||
| } catch (IOException e) { | ||
| logger.warn("Cannot read whitelist file, exec binding commands won't be processed: {}", e.getMessage()); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * Check if a command is whitelisted | ||
| * | ||
| * @param command the command to check alias | ||
| * @return true if whitelisted, false if not | ||
| */ | ||
| public boolean isWhitelisted(String command) { | ||
| return commandWhitelist.contains(command); | ||
| } | ||
| } |
Oops, something went wrong.