[SECURITY] Fix calc Shell Injection vulnerability

2023-01-21 17:01:10 +08:00 · 2023-01-21 17:01:10 +08:00 · f0dc43702a
commit f0dc43702a
parent 6d54165393
2 changed files with 32 additions and 15 deletions
--- a/modules/calc/init.py
+++ b/modules/calc/init.py
@ -53,10 +53,10 @@ async def _(msg: MessageSession):
            raise NoReportException('计算超时。')
    else:
        try:
-            p = await asyncio.create_subprocess_shell(f'python "{os.path.abspath("./modules/calc/calc.py")}" "{msg.parsed_msg["<math_expression>"]}"',
-                                                      stdout=asyncio.subprocess.PIPE,
-                                                      stderr=asyncio.subprocess.PIPE
-                                                      )
+            p = await asyncio.create_subprocess_exec('python', os.path.abspath("./modules/calc/calc.py"), msg.parsed_msg["<math_expression>"],
+                                                     stdout=asyncio.subprocess.PIPE,
+                                                     stderr=asyncio.subprocess.PIPE
+                                                     )
            try:
                await asyncio.wait_for(p.wait(), timeout=10)
            except asyncio.TimeoutError:
@ -72,6 +72,6 @@ async def _(msg: MessageSession):
                    await msg.finish(f'表达式无效：{res[7:]}')
            else:
                Logger.error(f'calc.py exited with code {p.returncode}')
-                Logger.error(f'calc.py stderr: {stderr_data.decode("utf-8")}')
+                Logger.error(f'calc.py stderr: {stderr_data.decode("gbk")}')
        except Exception as e:
            raise NoReportException(e)
--- a/modules/calc/calc.py
+++ b/modules/calc/calc.py
@ -8,6 +8,23 @@ import statistics
 import cmath
 import decimal
 import fractions
+import os
+
+if os.name == 'posix':
+    os.nice(15)
+    import resource
+    resource.setrlimit(resource.RLIMIT_AS,
+                       (16 * 1024 * 1024, 16 * 1024 * 1024))
+    resource.setrlimit(resource.RLIMIT_DATA,
+                       (16 * 1024 * 1024, 16 * 1024 * 1024))
+    resource.setrlimit(resource.RLIMIT_STACK,
+                       (16 * 1024 * 1024, 16 * 1024 * 1024))
+elif os.name == 'nt':
+    import win32process
+    win32process.SetPriorityClass(win32process.GetCurrentProcess(
+    ), 16384)
+    win32process.SetProcessWorkingSetSize(
+        win32process.GetCurrentProcess(), 1, 16 * 1024 * 1024)

 funcs = {}
 named_funcs = {}
@ -42,16 +59,16 @@ s_eval = EvalWithCompoundTypes(
        ast.BitXor: op.xor,
        ast.Invert: op.invert,
    },
-    functions={**funcs, **DEFAULT_FUNCTIONS, 
-        'bin': bin,
-        'bool': bool,
-        'complex': complex,
-        'divmod': divmod, 
-        'hex': hex,
-        'len': len, 
-        'oct': oct,
-        'round': round
-    },
+    functions={**funcs, **DEFAULT_FUNCTIONS,
+               'bin': bin,
+               'bool': bool,
+               'complex': complex,
+               'divmod': divmod,
+               'hex': hex,
+               'len': len,
+               'oct': oct,
+               'round': round
+               },
    names={
        **DEFAULT_NAMES, **consts, **named_funcs,
        'pi': math.pi,