Onionr/static-data/official-plugins/bigbrother/ministry/ofexec.py

65 lines
2.2 KiB
Python
Raw Normal View History

2019-12-20 05:22:51 +00:00
"""Onionr - Private P2P Communication.
2019-12-20 05:22:51 +00:00
Prevent eval/exec/os.system and log it
"""
import base64
2019-12-18 09:58:47 +00:00
import platform
import logger
from utils import identifyhome
from onionrexceptions import ArbitraryCodeExec
"""
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
"""
2022-06-05 20:11:53 +00:00
untrusted_exec = True
2019-12-18 09:58:47 +00:00
def block_system(cmd):
2019-12-20 05:22:51 +00:00
"""Prevent os.system except for whitelisted commands+contexts."""
2020-08-12 22:21:11 +00:00
logger.warn('POSSIBLE EXPLOIT DETECTED, SEE LOGS', terminal=True)
logger.warn(f'POSSIBLE EXPLOIT: shell command not in whitelist: {cmd}')
raise ArbitraryCodeExec('os.system command not in whitelist')
2019-12-18 09:58:47 +00:00
def block_exec(event, info):
2019-12-20 05:22:51 +00:00
"""Prevent arbitrary code execution in eval/exec and log it."""
# because libraries have stupid amounts of compile/exec/eval,
# We have to use a whitelist where it can be tolerated
# Generally better than nothing, not a silver bullet
2022-06-05 20:11:53 +00:00
if untrusted_exec:
return
whitelisted_code = [
2022-09-26 20:06:05 +00:00
]
2022-01-31 05:59:34 +00:00
whitelisted_source = [
]
home = identifyhome.identify_home()
2019-12-22 19:42:10 +00:00
code_b64 = base64.b64encode(info[0].co_code).decode()
if code_b64 in whitelisted_source:
return
2019-12-22 19:42:10 +00:00
for source in whitelisted_code:
if info[0].co_filename.endswith(source):
return
if 'plugins/' in info[0].co_filename:
return
logger.warn('POSSIBLE EXPLOIT DETECTED, SEE LOGS', terminal=True)
logger.warn('POSSIBLE EXPLOIT DETECTED: ' + info[0].co_filename)
logger.warn('Prevented exec/eval. Report this with the sample below')
logger.warn(f'{event} code in base64 format: {code_b64}')
raise ArbitraryCodeExec("Arbitrary code (eval/exec) detected.")