From 0104bad1f06ae20883ce30508e6d88764c7f8a98 Mon Sep 17 00:00:00 2001 From: Zhipeng Xie Date: Tue, 7 Jan 2020 04:08:37 -0500 Subject: [PATCH] atuned: add input validation for collection collection need input validation before exec Signed-off-by: Zhipeng Xie --- .gitignore | 3 +++ common/utils/utils.go | 11 +++++++++++ modules/server/profile/profile.go | 20 ++++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4331226 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/pkg/ +*.pyc +database/atuned.db diff --git a/common/utils/utils.go b/common/utils/utils.go index 46734fe..c930705 100644 --- a/common/utils/utils.go +++ b/common/utils/utils.go @@ -25,6 +25,7 @@ import ( "path" "path/filepath" "plugin" + "regexp" "strconv" "strings" "syscall" @@ -278,3 +279,13 @@ func DiskByName(disk string) error { return fmt.Errorf("disk %s is not exist", disk) } + +// common input string validator +func IsInputStringValid(input string) bool { + if input != "" { + if isOk, _ := regexp.MatchString("^[a-zA-Z0-9/.-_]*$", input); isOk { + return isOk + } + } + return false +} diff --git a/modules/server/profile/profile.go b/modules/server/profile/profile.go index 5f57367..58f38ef 100644 --- a/modules/server/profile/profile.go +++ b/modules/server/profile/profile.go @@ -691,6 +691,26 @@ func (s *ProfileServer) ProfileRollback(profileInfo *PB.ProfileInfo, stream PB.P Collection method call collection script to collect system data. */ func (s *ProfileServer) Collection(message *PB.CollectFlag, stream PB.ProfileMgr_CollectionServer) error { + if valid := utils.IsInputStringValid(message.GetWorkload()); !valid { + return fmt.Errorf("input:%s is invalid", message.GetWorkload()) + } + + if valid := utils.IsInputStringValid(message.GetOutputPath()); !valid { + return fmt.Errorf("input:%s is invalid", message.GetOutputPath()) + } + + if valid := utils.IsInputStringValid(message.GetType()); !valid { + return fmt.Errorf("input:%s is invalid", message.GetType()) + } + + if valid := utils.IsInputStringValid(message.GetBlock()); !valid { + return fmt.Errorf("input:%s is invalid", message.GetBlock()) + } + + if valid := utils.IsInputStringValid(message.GetNetwork()); !valid { + return fmt.Errorf("input:%s is invalid", message.GetNetwork()) + } + classApps := &sqlstore.GetClassApp{Class: message.GetType()} err := sqlstore.GetClassApps(classApps) if err != nil { -- GitLab