I am taking an input string from a user and using that as the parameters for a command line back-end program.
我从用户那里获取一个输入字符串,并将其用作命令行后端程序的参数。
What is the best way to ensure that this input is "safe"? Aka they haven't inserted "; cd /; rm -rf" or some other ugliness into field?
确保此输入“安全”的最佳方法是什么? Aka他们没有插入“; cd /; rm -rf”或其他一些丑陋的字段?
Without any sanitizing I have...
没有任何消毒我有......
@query = params[:query]
@result = %x( mycommand #{@query} )
I need to get the output of the command, so I can't use system("command","parameters") as that only returns true or false but would provide protection.
我需要得到命令的输出,所以我不能使用system(“command”,“parameters”),因为它只返回true或false但会提供保护。
I know this is dangerous... thanks in advance.
我知道这很危险......提前谢谢。
4 个解决方案
#1
Always, always define what you will accept and then deny everything else. Too often people try to allow everything and then deny the bad things.
始终,始终定义您将接受的内容,然后拒绝其他所有内容。人们经常试图允许一切,然后否认坏事。
- Start with characters. I.e. if
mycommandonly needs alphanumeric input plus spaces then only allow that. There would be no chance of "rm -rf /" sneaking in, nor of the other 10,000 things that require punctuation. - Are there further syntactics/semantics of
mycommandthat you can use to define "good" input? Such as it requires exactly 2 space separated parameters?
从字符开始。即如果mycommand只需要字母数字输入加空格,那么只允许这样做。没有机会“rm -rf /”偷偷摸摸,也不会有其他10,000件需要标点符号的东西。
是否还有mycommand的语法/语义可用于定义“好”输入?比如它需要2个空格分隔的参数?
Without knowing what mycommand is I can't offer specifics, but you get the idea: don't try to throw away bad things; define valid and throw away everything else. Note that this is still hard, but without this approach it's almost impossible.
不知道我的命令是什么,我无法提供具体细节,但你明白了这一点:不要试图抛弃坏事;定义有效并抛弃其他一切。请注意,这仍然很难,但如果没有这种方法,几乎是不可能的。
#2
Due to the nature of executing commands, I would probably say that you should use a whitelist to ensure that only anticipated commands are run. This strikes me as rather dangerous though!
由于执行命令的性质,我可能会说你应该使用白名单来确保只运行预期的命令。这让我感到相当危险!
#3
If as you said in your response to dwc, you require a domain name (im assuming you mean fully qualified) or an IP address, you can use Resolv to do a lookup on them and only accept them if there's a matching A/CNAME in the case of a domainname, or a PTR in the case of an IP.
如果你在对dwc的回复中说过,你需要一个域名(我假设你是完全合格的)或者一个IP地址,你可以使用Resolv对它们进行查找,只有在匹配的A / CNAME中才接受它们域名的情况,或IP的情况下的PTR。
If they enter an IP to which there's no reverse ptr, you could have problems. If they enter a domainname to which there's no A/CNAME, then chances are your command would have failed anyway.
如果他们输入的IP没有反向ptr,你可能会遇到问题。如果他们输入的域名没有A / CNAME,那么你的命令很可能无论如何都会失败。
#4
Another option, if your commands are bounded, you could create a list in a drop down of commands and put the args into other fields/checkboxes/pulldowns. Then validate each argument as Mike suggests.
另一个选择,如果您的命令有界,您可以在命令下拉列表中创建一个列表,并将args放入其他字段/复选框/下拉列表中。然后像Mike建议的那样验证每个参数。
This would prevent any user entered value from really making it to the command line.
这样可以防止任何用户输入的值真正进入命令行。
#1
Always, always define what you will accept and then deny everything else. Too often people try to allow everything and then deny the bad things.
始终,始终定义您将接受的内容,然后拒绝其他所有内容。人们经常试图允许一切,然后否认坏事。
- Start with characters. I.e. if
mycommandonly needs alphanumeric input plus spaces then only allow that. There would be no chance of "rm -rf /" sneaking in, nor of the other 10,000 things that require punctuation. - Are there further syntactics/semantics of
mycommandthat you can use to define "good" input? Such as it requires exactly 2 space separated parameters?
从字符开始。即如果mycommand只需要字母数字输入加空格,那么只允许这样做。没有机会“rm -rf /”偷偷摸摸,也不会有其他10,000件需要标点符号的东西。
是否还有mycommand的语法/语义可用于定义“好”输入?比如它需要2个空格分隔的参数?
Without knowing what mycommand is I can't offer specifics, but you get the idea: don't try to throw away bad things; define valid and throw away everything else. Note that this is still hard, but without this approach it's almost impossible.
不知道我的命令是什么,我无法提供具体细节,但你明白了这一点:不要试图抛弃坏事;定义有效并抛弃其他一切。请注意,这仍然很难,但如果没有这种方法,几乎是不可能的。
#2
Due to the nature of executing commands, I would probably say that you should use a whitelist to ensure that only anticipated commands are run. This strikes me as rather dangerous though!
由于执行命令的性质,我可能会说你应该使用白名单来确保只运行预期的命令。这让我感到相当危险!
#3
If as you said in your response to dwc, you require a domain name (im assuming you mean fully qualified) or an IP address, you can use Resolv to do a lookup on them and only accept them if there's a matching A/CNAME in the case of a domainname, or a PTR in the case of an IP.
如果你在对dwc的回复中说过,你需要一个域名(我假设你是完全合格的)或者一个IP地址,你可以使用Resolv对它们进行查找,只有在匹配的A / CNAME中才接受它们域名的情况,或IP的情况下的PTR。
If they enter an IP to which there's no reverse ptr, you could have problems. If they enter a domainname to which there's no A/CNAME, then chances are your command would have failed anyway.
如果他们输入的IP没有反向ptr,你可能会遇到问题。如果他们输入的域名没有A / CNAME,那么你的命令很可能无论如何都会失败。
#4
Another option, if your commands are bounded, you could create a list in a drop down of commands and put the args into other fields/checkboxes/pulldowns. Then validate each argument as Mike suggests.
另一个选择,如果您的命令有界,您可以在命令下拉列表中创建一个列表,并将args放入其他字段/复选框/下拉列表中。然后像Mike建议的那样验证每个参数。
This would prevent any user entered value from really making it to the command line.
这样可以防止任何用户输入的值真正进入命令行。