Merge pull request #413 from cPholloway/RE-260

Ensure all system calls are executable absolute paths
cpanel · Apr 15, 2024 · 332727d · 332727d
2 parents a23958c + 269654c
commit 332727d
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/elevate-cpanel b/elevate-cpanel
@@ -5609,6 +5609,9 @@ EOS
 
     sub _ssystem ( $command, %opts ) {
         my @args = @{ $command // [] };
+
+        return 42 if $args[0] !~ '^/' || !-x $args[0];
+
         INFO( "Running: " . join( " ", @args ) );
         INFO();    # Buffer so they can more easily read the output.
 

diff --git a/lib/Elevate/Roles/Run.pm b/lib/Elevate/Roles/Run.pm
@@ -70,6 +70,10 @@ sub ssystem_and_die ( $self, @args ) {
 
 sub _ssystem ( $command, %opts ) {
     my @args = @{ $command // [] };
+
+    # Only allow the program to be an executable absolute path
+    return 42 if $args[0] !~ '^/' || !-x $args[0];
+
     INFO( "Running: " . join( " ", @args ) );
     INFO();    # Buffer so they can more easily read the output.
 

diff --git a/t/ssystem.t b/t/ssystem.t
@@ -23,6 +23,11 @@ my $mock_log_file = Test::MockFile->file('/var/log/elevate-cpanel.log');
 
 my $cpev = cpev->new->_init;
 
+is( cpev->ssystem('nope'), 42, q[ssystem( 'nope' ) is disallowed] );
+is( cpev->ssystem('grep'), 42, 'Commands that are not absolute paths are not allowed' );
+
+is( cpev->ssystem('/etc/apache2/conf/httpd.conf'), 42, 'Commands that are not executable are not allowed' );
+
 is( cpev->ssystem("/bin/true"), 0, q[ssystem( "/bin/true" ) == 0] );
 isnt( my $status_false = cpev->ssystem("/bin/false"), 0, q[ssystem( "/bin/false" ) != 0] );