Security Fixes

backend/ansible_helper.py

@@ -46,8 +46,7 @@ def check_file(filename, file_type, raw=""):
             f.write(raw)
 
         x = subprocess.run(
-            ["ansible-playbook {} --check".format(temp_file)],
-            shell=True,
+            ["ansible-playbook", temp_file, "--check"],
             capture_output=True,
         )
         if x.returncode >= 4:
@@ -64,8 +63,7 @@ def check_file(filename, file_type, raw=""):
 
     elif file_type == "ansible":
         x = subprocess.run(
-            ["ansible-playbook {} --check".format(look_file)],
-            shell=True,
+            ["ansible-playbook", look_file, "--check"],
             capture_output=True,
         )
         if x.returncode >= 4:
@@ -80,7 +78,7 @@ def check_file(filename, file_type, raw=""):
 
         shutil.copy(look_file, "/etc/telegraf/telegraf.conf")
 
-        x = subprocess.run(["telegraf --test"], shell=True, capture_output=True)
+        x = subprocess.run(["telegraf", "--test"], capture_output=True)
         if x.returncode != 0:
             retval = False
         else:

backend/serve.py

@@ -123,15 +123,15 @@
 valid_type = ["ssh", "totp", "become", "telegraf", "ansible", "other"]
 
 
-@app.route("/upload/<type>/<override_token>", methods=["POST"])
+@app.route("/upload/<file_type>/<override_token>", methods=["POST"])
 @requires_auth_admin
-def upload(type, override_token):  # pragma: no cover
+def upload(file_type, override_token):  # pragma: no cover
     """
     Handles file upload
-        - Two types: straight upload and form data upload
+        - Two file_types: straight upload and form data upload
         - Form data upload comes from manual additions of vault files
     """
-    if type not in valid_type:
+    if file_type not in valid_type:
         return "Invalid type", 412
 
     if "file" not in request.files and "file" not in request.form:
@@ -147,14 +147,16 @@
         data = request.form["file"]
         filename = secure_filename(request.form["filename"])
 
+    file_type = secure_filename(file_type)
+
     if file != "" and file.filename == "":
         return "No file selected", 409
 
     if not os.path.exists("/src/uploads"):
         os.mkdir("/src/uploads")
 
-    if not os.path.exists("/src/uploads/{}".format(type)):
-        os.mkdir("/src/uploads/{}".format(type))
+    if not os.path.exists("/src/uploads/{}".format(file_type)):
+        os.mkdir("/src/uploads/{}".format(file_type))
 
     if data:
         data = data.replace("\r\n", "\n")
@@ -166,7 +168,7 @@
         ):
             os.remove("/src/uploads/become/{}.yml".format(filename.replace(".yml", "")))
 
-        if ansible_helper.check_file(filename, type):
+        if ansible_helper.check_file(filename, file_type):
             shutil.move(
                 "/tmp/{}".format(filename),
                 "/src/uploads/become/{}.yml".format(filename.replace(".yml", "")),
@@ -184,30 +186,30 @@
         with open(os.path.join("/tmp", filename), "w") as f:
             f.write(file_contents)
 
-        check_results = ansible_helper.check_file(filename, type)
+        check_results = ansible_helper.check_file(filename, file_type)
         if check_results:
             shutil.move(
-                "/tmp/{}".format(filename), "/src/uploads/{}/{}".format(type, filename)
+                "/tmp/{}".format(filename), "/src/uploads/{}/{}".format(file_type, filename)
             )
         else:
             return f"File check failed: {check_results}", 521
 
     # Chmod
-    chmod_filename = "/src/uploads/{}/{}".format(type, filename)
+    chmod_filename = "/src/uploads/{}/{}".format(file_type, filename)
     os.chmod(chmod_filename, 0o600)
     return file.filename, 200
 
 
-@app.route("/uploads/<type>", methods=["GET"])
+@app.route("/uploads/<file_type>", methods=["GET"])
 @requires_auth_admin
-def list_uploads(type):
+def list_uploads(file_type):
     """
     Lists all entries in an upload folder
     """
-    if type in valid_type:
-        if not os.path.exists("/src/uploads/{}".format(type)):
-            os.mkdir("/src/uploads/{}".format(type))
-        return json.dumps(os.listdir("/src/uploads/{}".format(type)), default=str), 200
+    if file_type in valid_type:
+        if not os.path.exists("/src/uploads/{}".format(file_type)):
+            os.mkdir("/src/uploads/{}".format(file_type))
+        return json.dumps(os.listdir("/src/uploads/{}".format(file_type)), default=str), 200
     return "Not found", 409
 
 

backend/services.py

@@ -216,12 +216,12 @@
     """
     Runs the telegraf file
     """
-    dir = "/src/uploads/telegraf/"
+    main_dir = "/src/uploads/telegraf/"
     testing = "--test"
     if outputs:
         testing = "--once"
-    cmd = "telegraf {} --config {}{}.conf".format(testing, dir, fname)
-    x = subprocess.run([cmd], shell=True, capture_output=True)
+    cmd = ["telegraf", testing, "--config", os.path.join(main_dir, f"{fname}.conf")]
+    x = subprocess.run([cmd], capture_output=True)
     return "{}\n<b>{}</b>{}".format(
         cmd, x.stderr.decode("utf-8"), x.stdout.decode("utf-8")
     )

frontend/labyrinth/src/components/CreateEditSubnet.vue

@@ -216,7 +216,7 @@ export default {
             .catch((e) => {
               this.$store.commit("updateError", e);
             });
-        });
+        }).catch(e=>this.$store.commit("updateError", e));
     },
   },
   watch: {