~shunter/cordcgi

689b2c1f9ea18b1fce47d09db755d92cbaf0cb7c — Samuel Hunter 3 years ago cd3df6f
Stop commands that try to escape out of CgiBin
1 files changed, 13 insertions(+), 2 deletions(-)

M cordcgi.go
M cordcgi.go => cordcgi.go +13 -2
@@ 42,6 42,8 @@ func loadSettingsOrPanic() {
}

func botUrl() string {
	// The 2048 permissions bit is solely SendMessage. That's it. This bot
	// framework doesn't do anything else.
	return fmt.Sprintf("https://discordapp.com/oauth2/authorize"+
		"?client_id=%s&scope=bot&permissions=2048",
		Settings.ClientID)


@@ 82,11 84,20 @@ func messageCreate(s *discordgo.Session, m *discordgo.MessageCreate) {
	}

	// Log all messages being processed.
	logger.Println("New message: ", m.Content)
	logger.Printf("New message from %s#%s <@%s>: %s\n", m.Author.Username, m.Author.Discriminator, m.Author.ID, m.Content)

	content := m.Content[len(Settings.Prefix):]
	args := strings.Split(content, " ")
	command := path.Join(Settings.CgiBin, args[0])
	command := path.Clean(args[0])

	// Make sure the command doesn't escape out and run binaries we don't
	// want to see.
	if strings.HasPrefix(command, "..") {
		logger.Println("Command", command, "tried to escape. Nice try.")
		return
	}

	command = path.Join(Settings.CgiBin, command)
	cmd := exec.Command(command, args[1:]...)
	var out bytes.Buffer