From 3f050ce18c2dcbc20b7b7cd2d0ba4156ba0e7ef7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 1 Apr 2026 18:08:01 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20=E4=BD=BF=E7=94=A8execFileSync?= =?UTF-8?q?=E6=9B=BF=E4=BB=A3execSync=C2=B7=E6=A0=B9=E6=B2=BB=E5=91=BD?= =?UTF-8?q?=E4=BB=A4=E6=B3=A8=E5=85=A5=E9=A3=8E=E9=99=A9=C2=B7SSH=E5=8F=82?= =?UTF-8?q?=E6=95=B0=E6=95=B0=E7=BB=84=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/29df49f6-bbbb-49af-8e63-96704b11d9c5 Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com> --- scripts/deputy-auto-repair.js | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/scripts/deputy-auto-repair.js b/scripts/deputy-auto-repair.js index e8bccd59..8571d0c9 100644 --- a/scripts/deputy-auto-repair.js +++ b/scripts/deputy-auto-repair.js @@ -30,7 +30,7 @@ 'use strict'; -const { execSync } = require('child_process'); +const { execFileSync } = require('child_process'); const fs = require('fs'); const path = require('path'); const https = require('https'); @@ -122,7 +122,7 @@ const REPAIR_STRATEGIES = [ } ]; -// ── SSH命令执行 (安全化) ──────────────────────── +// ── SSH命令执行 (安全化·使用execFileSync避免shell注入) ──── function sshExec(command) { const host = process.env.ZY_SERVER_HOST; const user = process.env.ZY_SERVER_USER; @@ -136,19 +136,21 @@ function sshExec(command) { return { ok: false, output: '', error: '⛔ 命令被安全策略拦截' }; } - // 对命令进行安全编码:单引号内的内容不会被shell二次解析 - const safeCommand = command.replace(/'/g, "'\\''"); + const sshKeyPath = path.join(process.env.HOME || '/root', '.ssh', 'zy_key'); try { - // 使用execFileSync避免shell注入:通过ssh二进制文件直接传递参数 - const output = execSync( - `ssh -i ~/.ssh/zy_key -o ConnectTimeout=10 ${escapeShellArg(user)}@${escapeShellArg(host)} '${safeCommand}'`, - { - timeout: 60000, - encoding: 'utf8', - stdio: ['pipe', 'pipe', 'pipe'] - } - ); + // 使用execFileSync直接调用ssh二进制文件,避免shell解析 + // command作为ssh的远程执行参数,由ssh在远端服务器上执行 + const output = execFileSync('ssh', [ + '-i', sshKeyPath, + '-o', 'ConnectTimeout=10', + `${user}@${host}`, + command + ], { + timeout: 60000, + encoding: 'utf8', + stdio: ['pipe', 'pipe', 'pipe'] + }); return { ok: true, output: output.trim() }; } catch (err) { return { @@ -159,12 +161,6 @@ function sshExec(command) { } } -// 转义shell参数中的特殊字符 -function escapeShellArg(arg) { - // 只允许字母数字和基本字符(用户名/IP/域名) - return String(arg).replace(/[^a-zA-Z0-9._@:-]/g, ''); -} - // ── LLM深度分析 ──────────────────────────── async function llmAnalysis(errorLog) { const apiKey = process.env.ZY_LLM_API_KEY;