fix command injection vulnerabilities

0010-fix-command-injection-vulnerabilities.patch

@@ -0,0 +1,27 @@
+From 3c17fd664738dc5981c069a39e351295ff62db07 Mon Sep 17 00:00:00 2001
+From: rabbitali <wenxin32@foxmail.com>
+Date: Thu, 7 Mar 2024 15:45:57 +0800
+Subject: [PATCH 1/1] fix command injection vulnerabilities
+
+---
+ zeus/conf/constant.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/zeus/conf/constant.py b/zeus/conf/constant.py
+index 8fcd222..a26b079 100644
+--- a/zeus/conf/constant.py
++++ b/zeus/conf/constant.py
+@@ -22,8 +22,8 @@ from vulcanus.conf.constant import BASE_CONFIG_PATH
+ MANAGER_CONFIG_PATH = os.path.join(BASE_CONFIG_PATH, 'zeus.ini')
+ 
+ # ceres
+-CERES_PLUGIN_START = "aops-ceres plugin --start %s"
+-CERES_PLUGIN_STOP = "aops-ceres plugin --stop %s"
++CERES_PLUGIN_START = "aops-ceres plugin --start '%s'"
++CERES_PLUGIN_STOP = "aops-ceres plugin --stop '%s'"
+ CERES_COLLECT_ITEMS_CHANGE = "aops-ceres plugin --change-collect-items '%s'"
+ CERES_PLUGIN_INFO = "aops-ceres plugin --info"
+ CERES_APPLICATION_INFO = "aops-ceres collect --application"
+-- 
+2.33.0
+

aops-zeus.spec

@@ -1,6 +1,6 @@
 Name:		aops-zeus
 Version:	v1.3.1
-Release:	5
+Release:	6
 Summary:	A host and user manager service which is the foundation of aops.
 License:	MulanPSL2
 URL:		https://gitee.com/openeuler/%{name}
@@ -14,6 +14,7 @@ Patch0006:	0006-optimize-import.patch
 Patch0007:	0007-add-an-api-for-querying-file-list.patch
 Patch0008:	0008-bugfix-email-config-does-not-take-effect.patch
 Patch0009:	0009-fix-import-error.patch
+Patch0010:	0010-fix-command-injection-vulnerabilities.patch
 
 
 BuildRequires:  python3-setuptools
@@ -54,6 +55,9 @@ cp -r database %{buildroot}/opt/aops/
 
 
 %changelog
+* Thu Mar 07 2024 wenxin<wenxin32@foxmail.com> - v1.3.1-6
+- fix command injection vulnerabilities
+
 * Mon Nov 06 2023 wenxin<wenxin32@foxmail.com> - v1.3.1-5
 - Bugfix: email config does not take effect
 - Add an interface for querying file list