[SECURITY] Fix calc Shell Injection vulnerability
This commit is contained in:
parent
6d54165393
commit
f0dc43702a
2 changed files with 32 additions and 15 deletions
|
@ -53,10 +53,10 @@ async def _(msg: MessageSession):
|
|||
raise NoReportException('计算超时。')
|
||||
else:
|
||||
try:
|
||||
p = await asyncio.create_subprocess_shell(f'python "{os.path.abspath("./modules/calc/calc.py")}" "{msg.parsed_msg["<math_expression>"]}"',
|
||||
stdout=asyncio.subprocess.PIPE,
|
||||
stderr=asyncio.subprocess.PIPE
|
||||
)
|
||||
p = await asyncio.create_subprocess_exec('python', os.path.abspath("./modules/calc/calc.py"), msg.parsed_msg["<math_expression>"],
|
||||
stdout=asyncio.subprocess.PIPE,
|
||||
stderr=asyncio.subprocess.PIPE
|
||||
)
|
||||
try:
|
||||
await asyncio.wait_for(p.wait(), timeout=10)
|
||||
except asyncio.TimeoutError:
|
||||
|
@ -72,6 +72,6 @@ async def _(msg: MessageSession):
|
|||
await msg.finish(f'表达式无效:{res[7:]}')
|
||||
else:
|
||||
Logger.error(f'calc.py exited with code {p.returncode}')
|
||||
Logger.error(f'calc.py stderr: {stderr_data.decode("utf-8")}')
|
||||
Logger.error(f'calc.py stderr: {stderr_data.decode("gbk")}')
|
||||
except Exception as e:
|
||||
raise NoReportException(e)
|
||||
|
|
|
@ -8,6 +8,23 @@ import statistics
|
|||
import cmath
|
||||
import decimal
|
||||
import fractions
|
||||
import os
|
||||
|
||||
if os.name == 'posix':
|
||||
os.nice(15)
|
||||
import resource
|
||||
resource.setrlimit(resource.RLIMIT_AS,
|
||||
(16 * 1024 * 1024, 16 * 1024 * 1024))
|
||||
resource.setrlimit(resource.RLIMIT_DATA,
|
||||
(16 * 1024 * 1024, 16 * 1024 * 1024))
|
||||
resource.setrlimit(resource.RLIMIT_STACK,
|
||||
(16 * 1024 * 1024, 16 * 1024 * 1024))
|
||||
elif os.name == 'nt':
|
||||
import win32process
|
||||
win32process.SetPriorityClass(win32process.GetCurrentProcess(
|
||||
), 16384)
|
||||
win32process.SetProcessWorkingSetSize(
|
||||
win32process.GetCurrentProcess(), 1, 16 * 1024 * 1024)
|
||||
|
||||
funcs = {}
|
||||
named_funcs = {}
|
||||
|
@ -42,16 +59,16 @@ s_eval = EvalWithCompoundTypes(
|
|||
ast.BitXor: op.xor,
|
||||
ast.Invert: op.invert,
|
||||
},
|
||||
functions={**funcs, **DEFAULT_FUNCTIONS,
|
||||
'bin': bin,
|
||||
'bool': bool,
|
||||
'complex': complex,
|
||||
'divmod': divmod,
|
||||
'hex': hex,
|
||||
'len': len,
|
||||
'oct': oct,
|
||||
'round': round
|
||||
},
|
||||
functions={**funcs, **DEFAULT_FUNCTIONS,
|
||||
'bin': bin,
|
||||
'bool': bool,
|
||||
'complex': complex,
|
||||
'divmod': divmod,
|
||||
'hex': hex,
|
||||
'len': len,
|
||||
'oct': oct,
|
||||
'round': round
|
||||
},
|
||||
names={
|
||||
**DEFAULT_NAMES, **consts, **named_funcs,
|
||||
'pi': math.pi,
|
||||
|
|
Reference in a new issue