packages/aops-zeus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!108 fix command injection vulnerabilities

Browse Source 
From: @rabbitali 
Reviewed-by: @zhu-yuncheng 
Signed-off-by: @zhu-yuncheng
This commit is contained in:
openeuler-ci-bot 2024-03-13 01:54:43 +00:00 committed by Gitee
commit 46e9a6abcd
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
0010-fix-command-injection-vulnerabilities.patch Normal file
View File

@ -0,0 +1,27 @@
From 3c17fd664738dc5981c069a39e351295ff62db07 Mon Sep 17 00:00:00 2001
From: rabbitali <wenxin32@foxmail.com>
Date: Thu, 7 Mar 2024 15:45:57 +0800
Subject: [PATCH 1/1] fix command injection vulnerabilities
---
zeus/conf/constant.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/zeus/conf/constant.py b/zeus/conf/constant.py
index 8fcd222..a26b079 100644
--- a/zeus/conf/constant.py
+++ b/zeus/conf/constant.py
@@ -22,8 +22,8 @@ from vulcanus.conf.constant import BASE_CONFIG_PATH
MANAGER_CONFIG_PATH = os.path.join(BASE_CONFIG_PATH, 'zeus.ini')
# ceres
-CERES_PLUGIN_START = "aops-ceres plugin --start %s"
-CERES_PLUGIN_STOP = "aops-ceres plugin --stop %s"
+CERES_PLUGIN_START = "aops-ceres plugin --start '%s'"
+CERES_PLUGIN_STOP = "aops-ceres plugin --stop '%s'"
CERES_COLLECT_ITEMS_CHANGE = "aops-ceres plugin --change-collect-items '%s'"
CERES_PLUGIN_INFO = "aops-ceres plugin --info"
CERES_APPLICATION_INFO = "aops-ceres collect --application"
--
2.33.0

6
aops-zeus.spec
View File

@ -1,6 +1,6 @@
Name: aops-zeus Name: aops-zeus
Version: v1.3.1 Version: v1.3.1
Release: 5 Release: 6
Summary: A host and user manager service which is the foundation of aops. Summary: A host and user manager service which is the foundation of aops.
License: MulanPSL2 License: MulanPSL2
URL: https://gitee.com/openeuler/%{name} URL: https://gitee.com/openeuler/%{name}
@ -14,6 +14,7 @@ Patch0006: 0006-optimize-import.patch
Patch0007: 0007-add-an-api-for-querying-file-list.patch Patch0007: 0007-add-an-api-for-querying-file-list.patch
Patch0008: 0008-bugfix-email-config-does-not-take-effect.patch Patch0008: 0008-bugfix-email-config-does-not-take-effect.patch
Patch0009: 0009-fix-import-error.patch Patch0009: 0009-fix-import-error.patch
Patch0010: 0010-fix-command-injection-vulnerabilities.patch
BuildRequires: python3-setuptools BuildRequires: python3-setuptools
@ -54,6 +55,9 @@ cp -r database %{buildroot}/opt/aops/
%changelog %changelog
* Thu Mar 07 2024 wenxin<wenxin32@foxmail.com> - v1.3.1-6
- fix command injection vulnerabilities
* Mon Nov 06 2023 wenxin<wenxin32@foxmail.com> - v1.3.1-5 * Mon Nov 06 2023 wenxin<wenxin32@foxmail.com> - v1.3.1-5
- Bugfix: email config does not take effect - Bugfix: email config does not take effect
- Add an interface for querying file list - Add an interface for querying file list