ghantoos / lshell

lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
436 stars 111 forks source link

[bug] error with advanced/complex regex #118

Closed ghantoos closed 21 hours ago

ghantoos commented 8 years ago

Received the following bug report by email.

Hi ghantoos, I got the following errors when use the lshell to restrict the user, We need to use grep command to filer the apache log , so we used too much regex expression, maybe some of them are not well recognized or proceeded by lshell

in the confiration /etc/lshell.conf, I already add the following to allowed list:

allowed : ['grep','cd','more','cat','ls','pwd','less','|','tail','head','wc','cut','df','gzip','gunzip','zip','unzip','tar','find','ssh','date','md5sum','ll','ftp',';','xargs','(',')']

:~$ grep -P '\[\d{2}/[A-z]{3}/\d{4}:22:\d{2}:\d{2}\s+(?:-|\+)\d{4}\].+"UID=[\w.]+"' /apache/apache2/logs/access_log.2015-11-08
/bin/sh: -c: line 0: syntax error near unexpected token `('
/bin/sh: -c: line 0: ``which echo` \[\d{2}/[A-z]{3}/\d{4}:22:\d{2}:\d{2}\s+(?:-'
Traceback (most recent call last):
  File "/usr/bin/lshell", line 54, in <module>
    main()
  File "/usr/bin/lshell", line 44, in main
    cli.cmdloop()
  File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 591, in cmdloop
    stop = self.onecmd(line)
  File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 714, in onecmd
    func = getattr(self, 'do_' + cmd)
  File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 115, in __getattr__
    if self.check_path(self.g_line, strict = self.conf['strict']) == 1:
  File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 498, in check_path
    item = cout.readlines()[0].split(' ')[0].strip()
IndexError: list index out of range
ghantoos commented 8 years ago

The last commit prevents the traceback, and warns the user that the command was not executed. However, this does not fix the issue behind it: the string is chopped into pieces (e.g. with the | ), and the check is done on one part of the string, that includes only one parentheses; thus making the check fail with syntax error near unexpected token '('. Keeping this open.