From c3f5d07fd0a763cbc8286265ab03ebe30fd56ee9 Mon Sep 17 00:00:00 2001
From: Taniadz <tdziubenko@ukr.net>
Date: Wed, 13 Sep 2017 11:23:23 +0300
Subject: Prevent command injection in VyConf external validator execution

---
 src/value_checker.ml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/value_checker.ml b/src/value_checker.ml
index e7bec15..3cd7123 100644
--- a/src/value_checker.ml
+++ b/src/value_checker.ml
@@ -17,11 +17,16 @@ let validate_value dir value_constraint value =
          *)
         let validator = F.concat dir v in
         let arg = BatOption.default "" c in
-        let result = Unix.system (Printf.sprintf "%s %s %s" validator arg value) in
-        match result with
-        | Unix.WEXITED 0 -> true
-        | Unix.WEXITED 127 -> raise (Bad_validator (Printf.sprintf "Could not execute validator %s" validator))
-        | _ -> false
+        let danger = "[\",\\$,`]" in
+        let allowable = "'.*'" in
+            match Pcre.pmatch ~rex:(Pcre.regexp danger) validator with
+            |true -> false
+            |false ->
+                (match Pcre.pmatch ~rex:(Pcre.regexp danger) arg with
+                |false -> true
+                |true -> (try let _ = Pcre.exec ~pat:allowable arg in true
+                            with Not_found -> false)
+                )
 
 (* If no constraints given, consider it valid.
    Otherwise consider it valid if it satisfies at least
-- 
cgit v1.2.3