From 9af3f06b5691bfdda48fee5bdec0f935e5cdf0ea Mon Sep 17 00:00:00 2001
From: Kevin Froman <beardog@firemail.cc>
Date: Wed, 18 Dec 2019 03:58:47 -0600
Subject: [PATCH] added block system auditor

---
 src/bigbrother/__init__.py        |  2 ++
 src/bigbrother/ministry/ofexec.py | 23 +++++++++++++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/bigbrother/__init__.py b/src/bigbrother/__init__.py
index 0412440c..c8250ad7 100644
--- a/src/bigbrother/__init__.py
+++ b/src/bigbrother/__init__.py
@@ -38,6 +38,8 @@ def sys_hook_entrypoint(event, info):
     elif event == 'exec':
         # logs and block both exec and eval
         ministry.ofexec.block_exec(event, info)
+    elif event == 'system':
+        ministry.ofexec.block_system(info)
 
 
 def enable_ministries(disable_hooks: Iterable = []):
diff --git a/src/bigbrother/ministry/ofexec.py b/src/bigbrother/ministry/ofexec.py
index dbdbbf9d..b2ec6a68 100644
--- a/src/bigbrother/ministry/ofexec.py
+++ b/src/bigbrother/ministry/ofexec.py
@@ -1,9 +1,10 @@
 """
     Onionr - Private P2P Communication
 
-    Prevent eval/exec and log it
+    Prevent eval/exec/os.system and log it
 """
 import base64
+import platform
 
 import logger
 from utils import identifyhome
@@ -24,12 +25,30 @@ from onionrexceptions import ArbitraryCodeExec
 """
 
 
+def block_system(cmd):
+    allowed = 'taskkill /PID '
+    is_ok = False
+    if platform.platform == 'Windows':
+        if cmd.startswith(allowed):
+            for c in cmd.split(allowed)[1]:
+                if not c.isalnum() or c not in ('/', 'F', ' '):
+                    break
+            else:
+                is_ok = True
+    if not is_ok:
+        logger.warn('POSSIBLE EXPLOIT DETECTED, SEE LOGS', terminal=True)
+        logger.warn(f'POSSIBLE EXPLOIT: shell command not in whitelist: {cmd}')
+        raise ArbitraryCodeExec('os.system command not in whitelist')
+
+
 def block_exec(event, info):
-    """Prevent arbitrary code execution in eval/exec and log it"""
+    """Prevent arbitrary code execution in eval/exec and log it
+    """
     # because libraries have stupid amounts of compile/exec/eval,
     # We have to use a whitelist where it can be tolerated
     whitelisted_code = [
                         'netrc.py',
+                        'shlex.py',
                         '<werkzeug routing>',
                         'werkzeug/test.py',
                         'multiprocessing/popen_fork.py',