mirror of
https://github.com/Icinga/icinga2.git
synced 2025-07-22 05:04:30 +02:00
Don't allow scripts to access FANoUserView attributes in sandbox mode
fixes #10457
This commit is contained in:
Gunnar Beutner
parent
8f764d805c
commit
de847d0b6f
@ -99,7 +99,7 @@ ExpressionResult VariableExpression::DoEvaluate(ScriptFrame& frame, DebugHint *d
|
|||||||
if (frame.Locals && frame.Locals->Get(m_Variable, &value))
|
if (frame.Locals && frame.Locals->Get(m_Variable, &value))
|
||||||
return value;
|
return value;
|
||||||
else if (frame.Self.IsObject() && frame.Locals != static_cast<Object::Ptr>(frame.Self) && VMOps::HasField(frame.Self, m_Variable))
|
else if (frame.Self.IsObject() && frame.Locals != static_cast<Object::Ptr>(frame.Self) && VMOps::HasField(frame.Self, m_Variable))
|
||||||
return VMOps::GetField(frame.Self, m_Variable, m_DebugInfo);
|
return VMOps::GetField(frame.Self, m_Variable, frame.Sandboxed, m_DebugInfo);
|
||||||
else
|
else
|
||||||
return ScriptGlobal::Get(m_Variable);
|
return ScriptGlobal::Get(m_Variable);
|
||||||
}
|
}
|
||||||
@ -391,7 +391,7 @@ ExpressionResult FunctionCallExpression::DoEvaluate(ScriptFrame& frame, DebugHin
|
|||||||
String index;
|
String index;
|
||||||
|
|
||||||
if (m_FName->GetReference(frame, false, &self, &index))
|
if (m_FName->GetReference(frame, false, &self, &index))
|
||||||
vfunc = VMOps::GetField(self, index, m_DebugInfo);
|
vfunc = VMOps::GetField(self, index, frame.Sandboxed, m_DebugInfo);
|
||||||
else {
|
else {
|
||||||
ExpressionResult vfuncres = m_FName->Evaluate(frame);
|
ExpressionResult vfuncres = m_FName->Evaluate(frame);
|
||||||
CHECK_RESULT(vfuncres);
|
CHECK_RESULT(vfuncres);
|
||||||
@ -504,7 +504,7 @@ ExpressionResult SetExpression::DoEvaluate(ScriptFrame& frame, DebugHint *dhint)
|
|||||||
CHECK_RESULT(operand2);
|
CHECK_RESULT(operand2);
|
||||||
|
|
||||||
if (m_Op != OpSetLiteral) {
|
if (m_Op != OpSetLiteral) {
|
||||||
Value object = VMOps::GetField(parent, index, m_DebugInfo);
|
Value object = VMOps::GetField(parent, index, frame.Sandboxed, m_DebugInfo);
|
||||||
|
|
||||||
switch (m_Op) {
|
switch (m_Op) {
|
||||||
case OpSetAdd:
|
case OpSetAdd:
|
||||||
@ -606,7 +606,7 @@ ExpressionResult IndexerExpression::DoEvaluate(ScriptFrame& frame, DebugHint *dh
|
|||||||
ExpressionResult operand2 = m_Operand2->Evaluate(frame, dhint);
|
ExpressionResult operand2 = m_Operand2->Evaluate(frame, dhint);
|
||||||
CHECK_RESULT(operand2);
|
CHECK_RESULT(operand2);
|
||||||
|
|
||||||
return VMOps::GetField(operand1.GetValue(), operand2.GetValue(), m_DebugInfo);
|
return VMOps::GetField(operand1.GetValue(), operand2.GetValue(), frame.Sandboxed, m_DebugInfo);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool IndexerExpression::GetReference(ScriptFrame& frame, bool init_dict, Value *parent, String *index, DebugHint **dhint) const
|
bool IndexerExpression::GetReference(ScriptFrame& frame, bool init_dict, Value *parent, String *index, DebugHint **dhint) const
|
||||||
@ -624,13 +624,13 @@ bool IndexerExpression::GetReference(ScriptFrame& frame, bool init_dict, Value *
|
|||||||
|
|
||||||
if (m_Operand1->GetReference(frame, init_dict, &vparent, &vindex, &psdhint)) {
|
if (m_Operand1->GetReference(frame, init_dict, &vparent, &vindex, &psdhint)) {
|
||||||
if (init_dict) {
|
if (init_dict) {
|
||||||
Value old_value = VMOps::GetField(vparent, vindex, m_Operand1->GetDebugInfo());
|
Value old_value = VMOps::GetField(vparent, vindex, frame.Sandboxed, m_Operand1->GetDebugInfo());
|
||||||
|
|
||||||
if (old_value.IsEmpty() && !old_value.IsString())
|
if (old_value.IsEmpty() && !old_value.IsString())
|
||||||
VMOps::SetField(vparent, vindex, new Dictionary(), m_Operand1->GetDebugInfo());
|
VMOps::SetField(vparent, vindex, new Dictionary(), m_Operand1->GetDebugInfo());
|
||||||
}
|
}
|
||||||
|
|
||||||
*parent = VMOps::GetField(vparent, vindex, m_DebugInfo);
|
*parent = VMOps::GetField(vparent, vindex, frame.Sandboxed, m_DebugInfo);
|
||||||
free_psd = true;
|
free_psd = true;
|
||||||
} else {
|
} else {
|
||||||
ExpressionResult operand1 = m_Operand1->Evaluate(frame);
|
ExpressionResult operand1 = m_Operand1->Evaluate(frame);
|
||||||
@ -706,7 +706,7 @@ ExpressionResult ImportExpression::DoEvaluate(ScriptFrame& frame, DebugHint *dhi
|
|||||||
if (frame.Sandboxed)
|
if (frame.Sandboxed)
|
||||||
BOOST_THROW_EXCEPTION(ScriptError("Imports are not allowed in sandbox mode.", m_DebugInfo));
|
BOOST_THROW_EXCEPTION(ScriptError("Imports are not allowed in sandbox mode.", m_DebugInfo));
|
||||||
|
|
||||||
String type = VMOps::GetField(frame.Self, "type", m_DebugInfo);
|
String type = VMOps::GetField(frame.Self, "type", frame.Sandboxed, m_DebugInfo);
|
||||||
ExpressionResult nameres = m_Name->Evaluate(frame);
|
ExpressionResult nameres = m_Name->Evaluate(frame);
|
||||||
CHECK_RESULT(nameres);
|
CHECK_RESULT(nameres);
|
||||||
Value name = nameres.GetValue();
|
Value name = nameres.GetValue();
|
||||||
|
|||||||
@ -50,7 +50,7 @@ public:
|
|||||||
if (frame.Locals && frame.Locals->Get(name, &value))
|
if (frame.Locals && frame.Locals->Get(name, &value))
|
||||||
return value;
|
return value;
|
||||||
else if (frame.Self.IsObject() && frame.Locals != static_cast<Object::Ptr>(frame.Self) && HasField(frame.Self, name))
|
else if (frame.Self.IsObject() && frame.Locals != static_cast<Object::Ptr>(frame.Self) && HasField(frame.Self, name))
|
||||||
return GetField(frame.Self, name, debugInfo);
|
return GetField(frame.Self, name, frame.Sandboxed, debugInfo);
|
||||||
else
|
else
|
||||||
return ScriptGlobal::Get(name);
|
return ScriptGlobal::Get(name);
|
||||||
}
|
}
|
||||||
@ -219,7 +219,7 @@ public:
|
|||||||
Object::Ptr object = type->GetPrototype();
|
Object::Ptr object = type->GetPrototype();
|
||||||
|
|
||||||
if (object && HasField(object, field))
|
if (object && HasField(object, field))
|
||||||
return GetField(object, field, debugInfo);
|
return GetField(object, field, false, debugInfo);
|
||||||
|
|
||||||
type = type->GetBaseType();
|
type = type->GetBaseType();
|
||||||
} while (type);
|
} while (type);
|
||||||
@ -230,7 +230,7 @@ public:
|
|||||||
return Empty;
|
return Empty;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline Value GetField(const Value& context, const String& field, const DebugInfo& debugInfo = DebugInfo())
|
static inline Value GetField(const Value& context, const String& field, bool sandboxed = false, const DebugInfo& debugInfo = DebugInfo())
|
||||||
{
|
{
|
||||||
if (context.IsEmpty() && !context.IsString())
|
if (context.IsEmpty() && !context.IsString())
|
||||||
return Empty;
|
return Empty;
|
||||||
@ -277,6 +277,13 @@ public:
|
|||||||
if (fid == -1)
|
if (fid == -1)
|
||||||
return GetPrototypeField(context, field, true, debugInfo);
|
return GetPrototypeField(context, field, true, debugInfo);
|
||||||
|
|
||||||
|
if (sandboxed) {
|
||||||
|
Field fieldInfo = type->GetFieldInfo(fid);
|
||||||
|
|
||||||
|
if (fieldInfo.Attributes & FANoUserView)
|
||||||
|
BOOST_THROW_EXCEPTION(ScriptError("Accessing the field '" + field + "' for type '" + type->GetName() + "' is not allowed in sandbox mode."));
|
||||||
|
}
|
||||||
|
|
||||||
return object->GetField(fid);
|
return object->GetField(fid);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user