🔐 使用execFileSync替代execSync·根治命令注入风险·SSH参数数组化

Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/29df49f6-bbbb-49af-8e63-96704b11d9c5

Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-04-01 18:08:01 +00:00 committed by GitHub
parent fdca1b514b
commit 3f050ce18c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 19 deletions

View File

@ -30,7 +30,7 @@
'use strict'; 'use strict';
const { execSync } = require('child_process'); const { execFileSync } = require('child_process');
const fs = require('fs'); const fs = require('fs');
const path = require('path'); const path = require('path');
const https = require('https'); const https = require('https');
@ -122,7 +122,7 @@ const REPAIR_STRATEGIES = [
} }
]; ];
// ── SSH命令执行 (安全化) ──────────────────────── // ── SSH命令执行 (安全化·使用execFileSync避免shell注入) ────
function sshExec(command) { function sshExec(command) {
const host = process.env.ZY_SERVER_HOST; const host = process.env.ZY_SERVER_HOST;
const user = process.env.ZY_SERVER_USER; const user = process.env.ZY_SERVER_USER;
@ -136,19 +136,21 @@ function sshExec(command) {
return { ok: false, output: '', error: '⛔ 命令被安全策略拦截' }; return { ok: false, output: '', error: '⛔ 命令被安全策略拦截' };
} }
// 对命令进行安全编码单引号内的内容不会被shell二次解析 const sshKeyPath = path.join(process.env.HOME || '/root', '.ssh', 'zy_key');
const safeCommand = command.replace(/'/g, "'\\''");
try { try {
// 使用execFileSync避免shell注入通过ssh二进制文件直接传递参数 // 使用execFileSync直接调用ssh二进制文件避免shell解析
const output = execSync( // command作为ssh的远程执行参数由ssh在远端服务器上执行
`ssh -i ~/.ssh/zy_key -o ConnectTimeout=10 ${escapeShellArg(user)}@${escapeShellArg(host)} '${safeCommand}'`, const output = execFileSync('ssh', [
{ '-i', sshKeyPath,
timeout: 60000, '-o', 'ConnectTimeout=10',
encoding: 'utf8', `${user}@${host}`,
stdio: ['pipe', 'pipe', 'pipe'] command
} ], {
); timeout: 60000,
encoding: 'utf8',
stdio: ['pipe', 'pipe', 'pipe']
});
return { ok: true, output: output.trim() }; return { ok: true, output: output.trim() };
} catch (err) { } catch (err) {
return { return {
@ -159,12 +161,6 @@ function sshExec(command) {
} }
} }
// 转义shell参数中的特殊字符
function escapeShellArg(arg) {
// 只允许字母数字和基本字符(用户名/IP/域名)
return String(arg).replace(/[^a-zA-Z0-9._@:-]/g, '');
}
// ── LLM深度分析 ──────────────────────────── // ── LLM深度分析 ────────────────────────────
async function llmAnalysis(errorLog) { async function llmAnalysis(errorLog) {
const apiKey = process.env.ZY_LLM_API_KEY; const apiKey = process.env.ZY_LLM_API_KEY;