DavidMarchant
commented
5 years ago Currently, as it stands, all arguments that are passed to the commands are escaped with shlex quote - https://docs.python.org/3/library/shlex.html (https://github.com/alces-software/adminware/blob/develop/src/models/job.py#L167)
This does, as far as I am aware, prevent all security risks with arguments however it brings its own problem to the current implementation - namely that many arguments passed to the commands will be 'mangled' silently before execution and thus a tool might not act as expected. (e.g. if a pipe is passed for whatever benign purpose) What are your thoughts on this solution?
For the second part of your comment can I just confirm what you're asking of us - the ability to enter arguments into a predefined section of the shell command, not necessarily at the end? USER in your example? If so I'm sure this would be do-able with some tinkering
WilliamMcCumstie
ColonelPanicks
Currently, to my understanding, the arguments system passes anything from the end of the run command onto the end of the defined command.
This could lead to a lot of potential security risks through piping or potentially other ways so would it be possible to make arguments a definable feature. Such that the argument is enforced to be purely alphanumeric and can be "slotted in" to the command.
For example, if I had a batch report command for showing processes running for a user as follows:
I would like to be able to run it through adminware and simply provide a username to slot in there, perhaps like