🔐 使用execFileSync替代execSync·根治命令注入风险·SSH参数数组化
Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/29df49f6-bbbb-49af-8e63-96704b11d9c5 Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
This commit is contained in:
parent
fdca1b514b
commit
3f050ce18c
|
|
@ -30,7 +30,7 @@
|
||||||
|
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
const { execSync } = require('child_process');
|
const { execFileSync } = require('child_process');
|
||||||
const fs = require('fs');
|
const fs = require('fs');
|
||||||
const path = require('path');
|
const path = require('path');
|
||||||
const https = require('https');
|
const https = require('https');
|
||||||
|
|
@ -122,7 +122,7 @@ const REPAIR_STRATEGIES = [
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
// ── SSH命令执行 (安全化) ────────────────────────
|
// ── SSH命令执行 (安全化·使用execFileSync避免shell注入) ────
|
||||||
function sshExec(command) {
|
function sshExec(command) {
|
||||||
const host = process.env.ZY_SERVER_HOST;
|
const host = process.env.ZY_SERVER_HOST;
|
||||||
const user = process.env.ZY_SERVER_USER;
|
const user = process.env.ZY_SERVER_USER;
|
||||||
|
|
@ -136,19 +136,21 @@ function sshExec(command) {
|
||||||
return { ok: false, output: '', error: '⛔ 命令被安全策略拦截' };
|
return { ok: false, output: '', error: '⛔ 命令被安全策略拦截' };
|
||||||
}
|
}
|
||||||
|
|
||||||
// 对命令进行安全编码:单引号内的内容不会被shell二次解析
|
const sshKeyPath = path.join(process.env.HOME || '/root', '.ssh', 'zy_key');
|
||||||
const safeCommand = command.replace(/'/g, "'\\''");
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// 使用execFileSync避免shell注入:通过ssh二进制文件直接传递参数
|
// 使用execFileSync直接调用ssh二进制文件,避免shell解析
|
||||||
const output = execSync(
|
// command作为ssh的远程执行参数,由ssh在远端服务器上执行
|
||||||
`ssh -i ~/.ssh/zy_key -o ConnectTimeout=10 ${escapeShellArg(user)}@${escapeShellArg(host)} '${safeCommand}'`,
|
const output = execFileSync('ssh', [
|
||||||
{
|
'-i', sshKeyPath,
|
||||||
timeout: 60000,
|
'-o', 'ConnectTimeout=10',
|
||||||
encoding: 'utf8',
|
`${user}@${host}`,
|
||||||
stdio: ['pipe', 'pipe', 'pipe']
|
command
|
||||||
}
|
], {
|
||||||
);
|
timeout: 60000,
|
||||||
|
encoding: 'utf8',
|
||||||
|
stdio: ['pipe', 'pipe', 'pipe']
|
||||||
|
});
|
||||||
return { ok: true, output: output.trim() };
|
return { ok: true, output: output.trim() };
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
return {
|
return {
|
||||||
|
|
@ -159,12 +161,6 @@ function sshExec(command) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// 转义shell参数中的特殊字符
|
|
||||||
function escapeShellArg(arg) {
|
|
||||||
// 只允许字母数字和基本字符(用户名/IP/域名)
|
|
||||||
return String(arg).replace(/[^a-zA-Z0-9._@:-]/g, '');
|
|
||||||
}
|
|
||||||
|
|
||||||
// ── LLM深度分析 ────────────────────────────
|
// ── LLM深度分析 ────────────────────────────
|
||||||
async function llmAnalysis(errorLog) {
|
async function llmAnalysis(errorLog) {
|
||||||
const apiKey = process.env.ZY_LLM_API_KEY;
|
const apiKey = process.env.ZY_LLM_API_KEY;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue