-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexecute.sh
More file actions
executable file
·48 lines (39 loc) · 1.24 KB
/
execute.sh
File metadata and controls
executable file
·48 lines (39 loc) · 1.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/bin/bash
# execute.sh — Shell command wrapper cho CloudPad.
#
# Phase 16: Hardened version.
# - Reject empty commands
# - Log all executions to syslog
# - Reject known dangerous patterns (rm -rf /, etc.)
# - Run với timeout để ngăn long-running commands treo server
set -euo pipefail
if [ "$#" -lt 1 ]; then
echo "Usage: $0 <command> [arguments...]" >&2
exit 1
fi
COMMAND="$1"
shift
ARGS="$@"
# --- Safety check: reject blank command ---
if [ -z "$COMMAND" ]; then
echo "[execute.sh] ERROR: Empty command rejected" >&2
exit 1
fi
# --- Safety check: reject catastrophic patterns ---
FULL_CMD="$COMMAND $ARGS"
if echo "$FULL_CMD" | grep -qE 'rm\s+-[rRf]*f[rR]?\s+/\s*$|rm\s+-[rRf]*f[rR]?\s+/\*'; then
echo "[execute.sh] ERROR: Dangerous command pattern rejected: $FULL_CMD" >&2
logger -t cloudpad-execute "BLOCKED dangerous command: $FULL_CMD"
exit 1
fi
# --- Log execution ---
logger -t cloudpad-execute "exec: $FULL_CMD" 2>/dev/null || true
# --- Execute with timeout (30s default) ---
TIMEOUT="${CLOUDPAD_EXEC_TIMEOUT:-30}"
timeout "$TIMEOUT" $COMMAND $ARGS
EXIT_CODE=$?
if [ $EXIT_CODE -eq 124 ]; then
echo "[execute.sh] ERROR: Command timed out after ${TIMEOUT}s: $FULL_CMD" >&2
exit 124
fi
exit $EXIT_CODE