mirror of
https://github.com/pgadmin-org/pgadmin4.git
synced 2024-11-22 16:56:30 -06:00
1) Disable the PSQL feature entirely in server mode by default.
2) Remove the code that attempts to filter out commands. refs #2341
This commit is contained in:
parent
c2ed799113
commit
2549688bdf
@ -10,10 +10,6 @@ PSQL tool allows user to connect to PostgreSQL/EDB Advanced server using psql te
|
||||
|
||||
* PSQL will connect to the current connected database from browser tree.
|
||||
|
||||
* PSQL utility does support execution of OS meta-commands by using "\\!". Due
|
||||
to security concerns, we have disabled the execution of such commands in
|
||||
pgAdmin. To enable OS meta-commands set ALLOW_PSQL_SHELL_COMMANDS = True in configuration.
|
||||
|
||||
.. image:: images/psql_tool.png
|
||||
:alt: PSQL tool window
|
||||
:align: center
|
||||
|
@ -620,7 +620,6 @@ LDAP_CA_CERT_FILE = ''
|
||||
LDAP_CERT_FILE = ''
|
||||
LDAP_KEY_FILE = ''
|
||||
|
||||
|
||||
##########################################################################
|
||||
# Kerberos Configuration
|
||||
##########################################################################
|
||||
@ -645,18 +644,12 @@ KERBEROS_CCACHE_DIR = os.path.join(DATA_DIR, 'krbccache')
|
||||
##########################################################################
|
||||
# PSQL tool settings
|
||||
##########################################################################
|
||||
# This will enable PSQL tool in pgAdmin. So user can execute the commands
|
||||
# using PSQL terminal in pgAdmin.
|
||||
ENABLE_PSQL = True
|
||||
# This will enable PSQL tool in pgAdmin when running in server mode.
|
||||
# PSQL is always enabled in Desktop mode, however in server mode it is
|
||||
# disabled by default because users can run arbitrary commands on the
|
||||
# server through it.
|
||||
ENABLE_PSQL = False
|
||||
|
||||
# ALLOW_PSQL_SHELL_COMMAND = True will disable the execution of os level
|
||||
# commands using meta command \! from PSQL terminal.
|
||||
# As PSQL allow user to execute the os level commands from the PSQL terminal
|
||||
# user can execute any system level command as per the system login user
|
||||
# privileges. Default this setting is set to False but if it set to True
|
||||
# User will able to execute the system level commands through PSQL terminal
|
||||
# in pgAdmin.
|
||||
ALLOW_PSQL_SHELL_COMMANDS = False
|
||||
##########################################################################
|
||||
# ENABLE_BINARY_PATH_BROWSING setting is used to enable the browse button
|
||||
# while selecting binary path for the database server in server mode.
|
||||
@ -702,3 +695,5 @@ if 'PGADMIN_CONFIG_DEFAULT_SERVER' in os.environ:
|
||||
# Disable USER_INACTIVITY_TIMEOUT when SERVER_MODE=False
|
||||
if not SERVER_MODE:
|
||||
USER_INACTIVITY_TIMEOUT = 0
|
||||
# Enable PSQL in Desktop Mode.
|
||||
ENABLE_PSQL = True
|
||||
|
@ -54,7 +54,6 @@ define('pgadmin.browser.utils',
|
||||
|
||||
/* GET PSQL Tool related config */
|
||||
pgAdmin['enable_psql'] = '{{enable_psql}}' == 'True';
|
||||
pgAdmin['allow_psql_shell_commands'] = '{{ current_app.config.get('ALLOW_PSQL_SHELL_COMMANDS') }}' == 'True';
|
||||
pgAdmin['platform'] = '{{platform}}';
|
||||
pgAdmin['qt_default_placeholder'] = '{{qt_default_placeholder}}'
|
||||
|
||||
|
@ -128,8 +128,6 @@ def set_term_size(fd, row, col, xpix=0, ypix=0):
|
||||
"""
|
||||
if _platform == 'win32':
|
||||
app.config['sessions'][request.sid].setwinsize(row, col)
|
||||
# data = {'key_name': 'Enter', 'input': '\n'}
|
||||
# socket_input(data)
|
||||
else:
|
||||
term_size = struct.pack('HHHH', row, col, xpix, ypix)
|
||||
fcntl.ioctl(fd, termios.TIOCSWINSZ, term_size)
|
||||
@ -462,91 +460,6 @@ def check_last_exe_cmd(data):
|
||||
return user_input
|
||||
|
||||
|
||||
def invalid_cmd():
|
||||
"""
|
||||
Invalid command
|
||||
:return:
|
||||
:rtype:
|
||||
"""
|
||||
session_last_cmd[request.sid]['invalid_cmd'] = True
|
||||
if _platform == 'win32':
|
||||
for i in range(len(session_input[request.sid])):
|
||||
app.config['sessions'][request.sid].write('\b \b')
|
||||
app.config['sessions'][request.sid].write('\r\n')
|
||||
|
||||
sio.emit(
|
||||
'pty-output',
|
||||
{
|
||||
'result': gettext(
|
||||
"ERROR: Shell commands are disabled "
|
||||
"in psql for security\r\n"),
|
||||
'error': True
|
||||
},
|
||||
namespace='/pty', room=request.sid)
|
||||
else:
|
||||
for i in range(len(session_input[request.sid])):
|
||||
os.write(app.config['sessions'][request.sid],
|
||||
'\b \b'.encode())
|
||||
|
||||
os.write(app.config['sessions'][request.sid],
|
||||
'\n'.encode())
|
||||
session_input[request.sid] = ''
|
||||
|
||||
|
||||
def check_valid_cmd(user_input):
|
||||
"""
|
||||
Check if user entered a valid cmd and \\! command is preset as a string
|
||||
only in current executing command. if \\! is present as command don't
|
||||
allow the execution of command.
|
||||
:param user_input:
|
||||
:return:
|
||||
"""
|
||||
stop_execution = True
|
||||
# Check \! is passed as string or not.
|
||||
double_quote_strs = re.findall('"([^"]*)"', user_input)
|
||||
if not double_quote_strs:
|
||||
double_quote_strs = re.findall("'([^']*)'", user_input)
|
||||
|
||||
if double_quote_strs:
|
||||
for sub_str in double_quote_strs:
|
||||
if re.search("\\\!", sub_str):
|
||||
stop_execution = False
|
||||
# break
|
||||
|
||||
if stop_execution:
|
||||
session_last_cmd[request.sid]['invalid_cmd'] = True
|
||||
if _platform == 'win32':
|
||||
# Remove already added command from terminal.
|
||||
for i in range(len(user_input)):
|
||||
app.config['sessions'][request.sid].write('\b \b')
|
||||
app.config['sessions'][request.sid].write('\n')
|
||||
|
||||
sio.emit(
|
||||
'pty-output',
|
||||
{
|
||||
'result': gettext(
|
||||
"ERROR: Shell commands are disabled "
|
||||
"in psql for security\r\n"),
|
||||
'error': True
|
||||
},
|
||||
namespace='/pty', room=request.sid)
|
||||
else:
|
||||
# Remove already added command from terminal.
|
||||
for i in range(len(user_input)):
|
||||
os.write(app.config['sessions'][request.sid],
|
||||
'\b \b'.encode())
|
||||
# Add Enter event to execute the command.
|
||||
os.write(app.config['sessions'][request.sid],
|
||||
'\n'.encode())
|
||||
else:
|
||||
session_last_cmd[request.sid]['invalid_cmd'] = False
|
||||
if _platform == 'win32':
|
||||
app.config['sessions'][request.sid].write('\n')
|
||||
else:
|
||||
os.write(app.config['sessions'][request.sid],
|
||||
'\n'.encode())
|
||||
|
||||
|
||||
def enter_key_press(data):
|
||||
"""
|
||||
Handel the Enter key press event.
|
||||
@ -555,23 +468,8 @@ def enter_key_press(data):
|
||||
user_input = check_last_exe_cmd(data)
|
||||
session_input_cursor[request.sid] = 0
|
||||
|
||||
# If ALLOW_PSQL_SHELL_COMMANDS is False then user can't execute
|
||||
# \! meta command to run shell commands through PSQL terminal.
|
||||
# Check before executing the user entered command does not
|
||||
# contains \! in input.
|
||||
is_new_connection = session_last_cmd[request.sid][
|
||||
'is_new_connection']
|
||||
|
||||
if user_input.startswith('\\!') and re.match("^\\\!$", user_input) and len(
|
||||
user_input) == 2 and not config.ALLOW_PSQL_SHELL_COMMANDS \
|
||||
and not is_new_connection:
|
||||
invalid_cmd()
|
||||
elif re.search("\\\!", user_input) and \
|
||||
not config.ALLOW_PSQL_SHELL_COMMANDS and\
|
||||
not session_last_cmd[request.sid]['is_new_connection']:
|
||||
check_valid_cmd(user_input)
|
||||
elif user_input == '\q' or user_input == 'q\\q' or user_input in ['exit',
|
||||
'exit;']:
|
||||
if user_input == '\q' or user_input == 'q\\q' or user_input in\
|
||||
['\quit', 'exit', 'exit;']:
|
||||
# If user enter \q to terminate the PSQL, emit the msg to
|
||||
# notify user connection is terminated.
|
||||
sio.emit('pty-output',
|
||||
|
Loading…
Reference in New Issue
Block a user