Skip to content

Commit

Permalink
to prevent external command injections, added "source" header check f…
Browse files Browse the repository at this point in the history 
…or background job executions.
  • Loading branch information
@evrenesat
evrenesat committed Aug 31, 2016
1 parent ebc8713 commit 52eafbe
Showing 1 changed file with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions zengine/wf_daemon.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
from zengine.engine import ZEngine
from zengine.current import Current
from zengine.lib.cache import Session, KeepAlive
from zengine.lib.exceptions import HTTPError
from zengine.lib.exceptions import HTTPError, SecurityInfringementAttempt
from zengine.log import log
import sys
# receivers should be imported at right time, right place
Expand All @@ -31,6 +31,8 @@
wf_engine = ZEngine()

LOGIN_REQUIRED_MESSAGE = {'error': "Login required", "code": 401}


class Worker(object):
"""
Workflow runner worker object
Expand Down Expand Up @@ -101,14 +103,17 @@ def _handle_ping_pong(self, data, session):
return msg

def _handle_job(self, session, data, headers):
# security check for preventing external job execution attempts
if headers['source'] != 'Internal':
raise SecurityInfringementAttempt(
"Someone ({user}) from {ip} tried to inject a job {job}".format(user=session['user_id'], ip=headers['remote_ip'], job=data['job']))
self.current = Current(session=session, input=data)
self.current.headers = headers
# import method
method = get_object_from_path(settings.BG_JOBS[data['job']])
# call view with current object
method(self.current)


def _handle_view(self, session, data, headers):
# create Current object
self.current = Current(session=session, input=data)
Expand Down Expand Up @@ -153,22 +158,24 @@ def handle_message(self, ch, method, properties, body):
body: message body
"""
input = {}
headers = {}
try:
self.sessid = method.routing_key

input = json_decode(body)
data = input['data']

# since this comes as "path" we dont know if it's view or workflow yet
#TODO: just a workaround till we modify ui to
# TODO: just a workaround till we modify ui to
if 'path' in data:
if data['path'] in settings.VIEW_URLS:
data['view'] = data['path']
else:
data['wf'] = data['path']
session = Session(self.sessid)

headers = {'remote_ip': input['_zops_remote_ip']}
headers = {'remote_ip': input['_zops_remote_ip'],
'source': input['_zops_source']}

if 'wf' in data:
output = self._handle_workflow(session, data, headers)
Expand Down Expand Up @@ -220,7 +227,6 @@ def run_workers(no_subprocess, watch_paths=None, is_background=False):
# from watchdog.observers.polling import PollingObserver as Observer
from watchdog.events import FileSystemEventHandler


def on_modified(event):
if not is_background:
print("Restarting worker due to change in %s" % event.src_path)
Expand Down

0 comments on commit 52eafbe

Please sign in to comment.