Patched /tmp/tmp4ofudqob/docker/utils/python_server.py

femto · Oct 21, 2024 · 3a642d6 · 3a642d6
1 parent e7687e5
commit 3a642d6
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/docker/utils/python_server.py b/docker/utils/python_server.py
@@ -69,6 +69,9 @@ def exposed_execute(self, command):
             sys.stderr = error_buffer
 
             with lock:
+                # Validate and sanitize the command before execution
+                if not self.is_safe_command(command):
+                    raise ValueError("Unsafe command detected")
                 exec(command, namespace)
 
             sys.stdout = sys.__stdout__
@@ -81,10 +84,23 @@ def exposed_execute(self, command):
             stack_trace = traceback.format_exc()
             return {"error": f"Error: {str(e)}\nStack trace:\n{stack_trace}"}
 
+    def is_safe_command(self, command):
+        # Implement proper validation and sanitization logic here
+        # This is a placeholder and should be replaced with actual security checks
+        unsafe_patterns = [
+            r"import\s+os",
+            r"import\s+subprocess",
+            r"__import__\s*\(",
+            r"eval\s*\(",
+            r"exec\s*\(",
+            r"open\s*\(",
+        ]
+        return not any(re.search(pattern, command, re.IGNORECASE) for pattern in unsafe_patterns)
+
 
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(description="Run the RPyC server.")
     parser.add_argument("--port", type=int, default=3006, help="Port number to run the server on (default: 3006)")
     args = parser.parse_args()
     server = ThreadPoolServer(MyService(), port=args.port)
-    server.start()
+    server.start()