summaryrefslogtreecommitdiff
blob: ae2ccbd50ec1366f6e7ab07bf48cddceb4518240 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
https://github.com/ThomasDickey/original-mawk/issues/49

From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@chromium.org>
Date: Tue, 7 Nov 2017 00:41:36 -0500
Subject: [PATCH 1/2] add a -W sandbox mode

This is like gawk's sandbox mode where arbitrary code execution and
file redirection are locked down.  This way awk can be a more secure
input/output mode.
---
 bi_funct.c | 3 +++
 init.c     | 8 ++++++++
 man/mawk.1 | 4 ++++
 mawk.h     | 2 +-
 scan.c     | 6 ++++++
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/bi_funct.c b/bi_funct.c
index 7742308c72a5..b524ac8dac8b 100644
--- a/bi_funct.c
+++ b/bi_funct.c
@@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED)
 #ifdef HAVE_REAL_PIPES
     int ret_val;
 
+    if (sandbox_flag)
+	rt_error("'system' function not allowed in sandbox mode");
+
     TRACE_FUNC("bi_system", sp);
 
     if (sp->type < C_STRING)
diff --git a/init.c b/init.c
index 0ab17b003f20..f7babb337e04 100644
--- a/init.c
+++ b/init.c
@@ -40,6 +40,7 @@ typedef enum {
     W_RANDOM,
     W_SPRINTF,
     W_POSIX_SPACE,
+    W_SANDBOX,
     W_USAGE
 } W_OPTIONS;
 
@@ -96,6 +97,7 @@ initialize(int argc, char **argv)
 
 int dump_code_flag;		/* if on dump internal code */
 short posix_space_flag;
+short sandbox_flag;
 
 #ifdef	 DEBUG
 int dump_RE = 1;		/* if on dump compiled REs  */
@@ -153,6 +155,7 @@ usage(void)
 	"    -W random=number set initial random seed.",
 	"    -W sprintf=number adjust size of sprintf buffer.",
 	"    -W posix_space   do not consider \"\\n\" a space.",
+	"    -W sandbox       disable system() and I/O redirection.",
 	"    -W usage         show this message and exit.",
     };
     size_t n;
@@ -255,6 +258,7 @@ parse_w_opt(char *source, char **next)
 	    DATA(RANDOM),
 	    DATA(SPRINTF),
 	    DATA(POSIX_SPACE),
+	    DATA(SANDBOX),
 	    DATA(USAGE)
     };
 #undef DATA
@@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv)
 		    posix_space_flag = 1;
 		    break;
 
+		case W_SANDBOX:
+		    sandbox_flag = 1;
+		    break;
+
 		case W_RANDOM:
 		    if (haveValue(optNext)) {
 			int x = atoi(optNext + 1);
diff --git a/man/mawk.1 b/man/mawk.1
index a3c794167dc9..0915d9d7ed5d 100644
--- a/man/mawk.1
+++ b/man/mawk.1
@@ -150,6 +150,10 @@ forces
 \fB\*n\fP
 not to consider '\en' to be space.
 .TP
+\-\fBW \fRsandbox
+runs in a restricted mode where system(), input redirection (e.g. getline),
+output redirection (e.g. print and printf), and pipelines are disabled.
+.TP
 \-\fBW \fRrandom=\fInum\fR
 calls \fBsrand\fP with the given parameter
 (and overrides the auto-seeding behavior).
diff --git a/mawk.h b/mawk.h
index 2d04be1adb34..a6ccc0071ecc 100644
--- a/mawk.h
+++ b/mawk.h
@@ -63,7 +63,7 @@ extern int dump_RE;
 #define USE_BINMODE 0
 #endif
 
-extern short posix_space_flag, interactive_flag;
+extern short posix_space_flag, interactive_flag, sandbox_flag;
 
 /*----------------
  *  GLOBAL VARIABLES
diff --git a/scan.c b/scan.c
index 3a8fc9181ab8..c1833b8b7315 100644
--- a/scan.c
+++ b/scan.c
@@ -455,6 +455,8 @@ yylex(void)
 	    un_next();
 
 	if (getline_flag) {
+	    if (sandbox_flag)
+		rt_error("redirection not allowed in sandbox mode");
 	    getline_flag = 0;
 	    ct_ret(IO_IN);
 	} else
@@ -462,6 +464,8 @@ yylex(void)
 
     case SC_GT:		/* '>' */
 	if (print_flag && paren_cnt == 0) {
+	    if (sandbox_flag)
+		rt_error("redirection not allowed in sandbox mode");
 	    print_flag = 0;
 	    /* there are 3 types of IO_OUT
 	       -- build the error string in string_buff */
@@ -488,6 +492,8 @@ yylex(void)
 	    un_next();
 
 	    if (print_flag && paren_cnt == 0) {
+		if (sandbox_flag)
+		    rt_error("pipe execution not allowed in sandbox mode");
 		print_flag = 0;
 		yylval.ival = PIPE_OUT;
 		string_buff[0] = '|';
-- 
2.13.5