In Node.js, is there any value to validate if a text message is a linux shell command or a normal message with/without actually executing the text? Please give any suggestions.
答案 0 :(得分:1)
var commnads = 'alias,apt-get,aptitude,aspell,awk,basename,bc,bg,bind,break,builtin,bzip2,cal,case,cat,cd,cfdisk,chattr,chgrp,chmod,chown,chroot,chkconfig,cksum,cmp,comm,command,continue,cp,cron,crontab,csplit,curl,cut,date,dc,dd,ddrescue,declare,df,diff,diff3,dig,dir,dircolors,dirname,dirs,dmesg,du,echo,egrep,eject,enable,env,eval,exec,exit,expect,expand,export,expr,false,fdformat,fdisk,fg,fgrep,file,find,fmt,fold,for,fsck,ftp,function,fuser,gawk,getopts,grep,groupadd,groupdel,groupmod,groups,gzip,hash,head,history,hostname,htop,iconv,id,if,ifconfig,ifdown,ifup,import,install,iostat,ip,jobs,join,kill,killall,less,let,link,ln,local,locate,logname,logout,look,lpc,lpr,lprm,lsattr,lsblk,ls,lsof,lspci,man,mkdir,mkfifo,mkfile,mknod,mktemp,more,most,mount,mtools,mtr,mv,mmv,nc,netstat,nft,nice,nl,nohup,notify-send,nslookup,open,op,passwd,paste,Perf,ping,pgrep,pkill,popd,pr,printenv,printf,ps,pushd,pv,pwd,quota,quotacheck,ram,rar,rcp,read,readonly,rename,return,rev,rm,rmdir,rsync,screen,scp,sdiff,sed,select,seq,set,shift,shopt,shutdown,sleep,slocate,sort,source,split,ss,ssh,stat,strace,su,sudo,sum,suspend,sync,tail,tar,tee,test,time,timeout,times,touch,top,tput,traceroute,trap,tr,true,tsort,tty,type,ulimit,umask,unalias,uname,unexpand,uniq,units,unrar,unset,unshar,until,useradd,userdel,usermod,users,uuencode,uudecode,vi,vmstat,w,wait,watch,wc,whereis,which,while,who,whoami,write,xargs,xdg-open,xz,yes,zip,.,!!,###'.split(',');
if (commands.some(command => text_to_check.startsWith(command + ' ')))
{
//code goes here
}
答案 1 :(得分:1)
shell的type命令将检测内置命令,别名,函数,外部命令等。
child_process = require('child_process')
['lua','foobar'].forEach((cmd) => {
result = child_process.spawnSync('sh', ['-c', `type ${cmd}`])
console.log(result.status + '\t' + result.stdout.toString())
})
0 lua is /usr/local/bin/lua
127 foobar: not found
实际上,恶意输入仍然是恶意的。
这是一种解决方法:在type cmd字符串中用引号引起来,但是您必须处理命令本身中的所有引号
// 1. shell-quote any single quotes in the cmd
cmd = "da$(echo 'hello world')te"; // 'da$(echo \'hello world\')te'
escaped = cmd.replace(/'/g, `'"'"'`); // 'da$(echo \'"\'"\'hello world\'"\'"\')te'
// 2. in the command string, quote the escaped cmd argument
result = child_process.spawnSync('sh', ['-c', `type '${escaped}'`]);
// .................................................^..........^
console.log(result.status, result.stdout.toString());
127 'da$(echo \'hello world\')te: not found\n'
要整合@dee的答案,找到 command 单词,您首先必须解析出所有前导变量分配和/或重定向(https://www.gnu.org/software/bash/manual/bashref.html#Simple-Command-Expansion)和/或前导括号或大括号和/或...基本上实现了sh解析器。
答案 2 :(得分:1)
这看起来像是错误的设计。 通常,Linux命令可以是PATH中的任何二进制文件,内置的shell或别名。
您可以检查第一个单词是否指向路径中的二进制文件,但这仍然不能解决shell别名或内置插件(您至少需要一个内置列表)。
如果某人输入的“文本消息”恰巧以也是Linux命令(echo,cat等)的普通单词开头怎么办?
简短的回答:不要这样做,否则后果自负。