-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalidate.go
98 lines (95 loc) · 3.38 KB
/
validate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package main
import (
"fmt"
"regexp"
"strings"
)
func validateLinuxCommand(cmd string) error {
cmd = strings.TrimSpace(cmd)
if cmd == "" {
return fmt.Errorf("empty command")
}
for pattern, message := range disallowedPatterns {
if matched, _ := regexp.MatchString(pattern, cmd); matched {
return fmt.Errorf("command contains %s, which is not allowed", message)
}
}
if strings.Count(cmd, "'")%2 != 0 {
return fmt.Errorf("unmatched single quotes in command")
}
if strings.Count(cmd, "\"")%2 != 0 {
return fmt.Errorf("unmatched double quotes in command")
}
return nil
}
var disallowedPatterns = map[string]string{
`^\||\|$`: "command begins or ends with a pipe '|'",
`\|\|`: "OR operator '||'",
`&&`: "AND operator '&&'",
"`": "backticks '`'",
`#`: "comments '#'",
`;`: "semicolons ';'",
`>|>>`: "output redirection '>' or '>>'",
`<|<<`: "input redirection '<' or '<<'",
`&`: "background execution operator '&'",
`\$\(|\)`: "command substitution '$(...)'",
`{|}`: "brace expansion '{}'",
`\[\[|\]\]`: "conditional expression '[[...]]'",
`export|source|\.|sudo|eval|exec|alias|function`: "disallowed keywords",
`if|then|else|fi|for|while|do|done|case|esac`: "control structures",
`~`: "tilde '~' for home directory expansion",
`\\`: "backslash '\\'",
`\$\{.*\}`: "variable expansion '${...}'",
`\(\(.*\)\)`: "arithmetic expansion '(())'",
`:[p]?[:=?+.-]`: "parameter expansion operators",
`\btime\b`: "'time' command prefix",
`\bnohup\b`: "'nohup' command prefix",
`\bxargs\b`: "'xargs' command",
`\benv\b`: "'env' command",
`\bnice\b`: "'nice' command prefix",
`\btrap\b`: "'trap' command",
`\bcommand\b`: "'command' built-in",
`\bset\b`: "'set' built-in",
`\bunset\b`: "'unset' built-in",
`\bwait\b`: "'wait' built-in",
`\bkill\b`: "'kill' command",
`\bcron\b`: "cron-related commands",
`\bat\b`: "'at' command",
`\bchmod\b`: "'chmod' command",
`\bchown\b`: "'chown' command",
`\bchgrp\b`: "'chgrp' command",
`\bmkdir\b`: "'mkdir' command",
`\brm\b`: "'rm' command",
`\bmv\b`: "'mv' command",
`\bcp\b`: "'cp' command",
`\bln\b`: "'ln' command",
`\btouch\b`: "'touch' command",
`\bdd\b`: "'dd' command",
`\bfind\b`: "'find' command",
`\bgrep\b`: "'grep' command",
`\bsed\b`: "'sed' command",
`\bawk\b`: "'awk' command",
`\bperl\b`: "'perl' command",
`\bpython\b`: "'python' command",
`\bruby\b`: "'ruby' command",
`\bcurl\b`: "'curl' command",
`\bwget\b`: "'wget' command",
`\bnc\b`: "'nc' (netcat) command",
`\bnetstat\b`: "'netstat' command",
`\bss\b`: "'ss' command",
`\biptables\b`: "'iptables' command",
`\bufw\b`: "'ufw' command",
`\bsystemctl\b`: "'systemctl' command",
`\bservice\b`: "'service' command",
`\bjournalctl\b`: "'journalctl' command",
`\blogin\b`: "'login' command",
`\bsu\b`: "'su' command",
`\bpasswd\b`: "'passwd' command",
`\buseradd\b`: "'useradd' command",
`\buserdel\b`: "'userdel' command",
`\bmodprobe\b`: "'modprobe' command",
`\binsmod\b`: "'insmod' command",
`\brmmod\b`: "'rmmod' command",
`\bdmesg\b`: "'dmesg' command",
`\bbase64\b`: "'base64' command",
}