Added escaping for the placeholder parameters before passing it to the passexec command. #6794

This commit is contained in:
Pravesh Sharma 2024-12-04 15:42:45 +05:30 committed by GitHub
parent d8ed75dbfd
commit 5e8a75cdf9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 3 deletions

View File

@ -349,6 +349,7 @@ export default class ServerSchema extends BaseUISchema {
group: gettext('Advanced'), controlProps: {maxLength: null}, group: gettext('Advanced'), controlProps: {maxLength: null},
mode: ['properties', 'edit', 'create'], mode: ['properties', 'edit', 'create'],
disabled: pgAdmin.server_mode == 'True' && pgAdmin.enable_server_passexec_cmd == 'False', disabled: pgAdmin.server_mode == 'True' && pgAdmin.enable_server_passexec_cmd == 'False',
helpMessage: gettext('The server hostname, port, and username can be passed as variables by using the placeholders %HOST%, %PORT%, and %USERNAME%, which will be replaced with the corresponding server connection information.')
}, },
{ {
id: 'passexec_expiration', label: gettext('Password exec expiration (seconds)'), type: 'int', id: 'passexec_expiration', label: gettext('Password exec expiration (seconds)'), type: 'int',

View File

@ -14,6 +14,7 @@ from threading import Lock
from flask import current_app from flask import current_app
import config import config
from pgadmin.utils.driver import get_driver
class PasswordExec: class PasswordExec:
@ -22,9 +23,9 @@ class PasswordExec:
def __init__(self, cmd, host, port, username, expiration_seconds=None, def __init__(self, cmd, host, port, username, expiration_seconds=None,
timeout=60): timeout=60):
cmd = str(cmd).replace('%HOSTNAME%', host) self.host = host
cmd = cmd.replace('%PORT%', str(port)) self.port = port
cmd = cmd.replace('%USERNAME%', username) self.username = username
self.cmd = cmd self.cmd = cmd
self.expiration_seconds = int(expiration_seconds) \ self.expiration_seconds = int(expiration_seconds) \
if expiration_seconds is not None else None if expiration_seconds is not None else None
@ -36,6 +37,12 @@ class PasswordExec:
if config.SERVER_MODE and not config.ENABLE_SERVER_PASS_EXEC_CMD: if config.SERVER_MODE and not config.ENABLE_SERVER_PASS_EXEC_CMD:
# Arbitrary shell execution on server is a security risk # Arbitrary shell execution on server is a security risk
raise NotImplementedError('Passexec not available in server mode') raise NotImplementedError('Passexec not available in server mode')
driver = get_driver(config.PG_DEFAULT_DRIVER)
self.cmd = str(self.cmd)
self.cmd = self.cmd.replace('%HOSTNAME%', self.host)
self.cmd = self.cmd.replace('%PORT%', str(self.port))
self.cmd = self.cmd.replace('%USERNAME%',
driver.qtIdent(None,self.username))
with self.lock: with self.lock:
if not self.password or self.is_expired(): if not self.password or self.is_expired():
if not self.cmd: if not self.cmd: