使用Golang安全地执行命令(避免远程执行)

huangapple go评论130阅读模式
英文:

Safely execute command (avoid remote execution) with Golang

问题

我有一个用Go编写的小应用程序,通过执行一个进程并从查询字符串中提供一些输入来处理HTTP请求。我想知道如何最好地对该输入进行远程执行过滤。例如,PHP的替代方法可能是:
http://php.net/manual/en/function.escapeshellarg.php

目前,输入应该是一个有效的URL,如果这样更容易的话,但最好使用一个通用的过滤器。

英文:

I have a small app in go that handles http requests by executing a process and providing it with some input from the query string that a user supplied with the request. I was wondering what is the best way to filter that input against remote execution. The PHP alternative for example would be something like:
http://php.net/manual/en/function.escapeshellarg.php

Right now the input should be a valid URL if that makes it easier, but ideally a generic filter would be preferred.

答案1

得分: 4

通常,像这样的魔术函数很难正确实现,如果您过于依赖它们,往往会使您的应用程序容易受到攻击。

我建议您使用智能的URL/请求方案来获取所需运行的命令,并在用户请求和您的shell执行之间进行一定程度的解释,以确保不直接使用用户提供的参数。

例如,您可以获取包含?verbose=true的请求,并将其转换为命令行上的-v。当处理像需要直接提供给正在运行的命令的字符串这样的用户输入时,您需要使用引号进行简单的转义(通过简单检查输入是否包含引号),以确保不会遇到“Bobby Tables”问题。

另一种方法是通过管道或文件来使您的程序和底层命令交换数据,这样可以减少命令输入成为开放攻击向量的可能性。

英文:

Generally magic functions like that are very hard to get right and often they will leave your application open to attacks if you rely heavily on them.

I would recommend that you use a smart URL/request scheme to get the commands you need to run and put some level of interpretation in between the user request and your shell execution so no parameters given by the user is used directly.

You could get request that contain ?verbose=true and translate them to -v on the command line eg. When dealing with user input like strings that need to be directly given to the command being run you need to do simple escaping with quotes (with a simple check to see if the input contain quotes) to ensure you don't run into a "Bobby Tables" problem.

An alternative way would be to have your program and the underlying command exchange data through pipes or files eg. which would reduce the likeliness of leaving command input an open attack vector.

huangapple
  • 本文由 发表于 2014年5月22日 11:22:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/23797313.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定