mirror of
https://github.com/avatao-content/baseimage-tutorial-framework
synced 2024-11-05 16:31:21 +00:00
Merge pull request #25 from avatao-content/usersep
Fix webide vulnerabilities
This commit is contained in:
commit
b942c1cf53
@ -53,14 +53,17 @@ COPY nginx/nginx.conf ${TFW_NGINX_CONF}
|
||||
COPY nginx/default.conf ${TFW_NGINX_DEFAULT}
|
||||
COPY lib ${TFW_LIB_DIR}
|
||||
|
||||
RUN for dir in "${TFW_LIB_DIR}" "/etc/nginx" "/etc/supervisor"; do \
|
||||
chown -R root:root "$dir" && chmod -R 700 "$dir"; \
|
||||
done
|
||||
|
||||
ONBUILD ARG BUILD_CONTEXT="."
|
||||
ONBUILD ARG NOFRONTEND=""
|
||||
|
||||
ONBUILD COPY ${BUILD_CONTEXT}/nginx/components/ ${TFW_NGINX_COMPONENTS}
|
||||
ONBUILD COPY ${BUILD_CONTEXT}/supervisor/components/ ${TFW_SUPERVISORD_COMPONENTS}
|
||||
|
||||
ONBUILD RUN chown -R ${AVATAO_USER} /var/log/nginx /var/lib/nginx &&\
|
||||
for f in "${TFW_NGINX_DEFAULT}" ${TFW_NGINX_COMPONENTS}/*.conf; do \
|
||||
ONBUILD RUN for f in "${TFW_NGINX_DEFAULT}" ${TFW_NGINX_COMPONENTS}/*.conf; do \
|
||||
envsubst "$(printenv | cut -d= -f1 | grep TFW_ | sed -e 's/^/$/g')" < $f > $f~ && mv $f~ $f ;\
|
||||
done
|
||||
ONBUILD VOLUME ["/etc/nginx", "/var/lib/nginx", "/var/log/nginx"]
|
||||
|
@ -1,7 +1,7 @@
|
||||
# Copyright (C) 2018 Avatao.com Innovative Learning Kft.
|
||||
# All Rights Reserved. See LICENSE file for details.
|
||||
|
||||
from os.path import isfile, join, relpath, exists, isdir
|
||||
from os.path import isfile, join, relpath, exists, isdir, realpath
|
||||
from glob import glob
|
||||
from fnmatch import fnmatchcase
|
||||
from collections import Iterable
|
||||
@ -13,9 +13,10 @@ from tfw.config.logs import logging
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class FileManager:
|
||||
def __init__(self, working_directory, selected_file=None, exclude=None):
|
||||
class FileManager: # pylint: disable=too-many-instance-attributes
|
||||
def __init__(self, working_directory, allowed_directories, selected_file=None, exclude=None):
|
||||
self._exclude, self.exclude = None, exclude
|
||||
self._allowed_directories, self.allowed_directories = None, allowed_directories
|
||||
self._workdir, self.workdir = None, working_directory
|
||||
self._filename, self.filename = None, selected_file or self.files[0]
|
||||
|
||||
@ -39,8 +40,18 @@ class FileManager:
|
||||
def workdir(self, directory):
|
||||
if not exists(directory) or not isdir(directory):
|
||||
raise EnvironmentError('"{}" is not a directory!'.format(directory))
|
||||
if not self._is_whitelisted(directory):
|
||||
raise EnvironmentError('Directory "{}" is not in whitelist!'.format(directory))
|
||||
self._workdir = directory
|
||||
|
||||
@property
|
||||
def allowed_directories(self):
|
||||
return self._allowed_directories
|
||||
|
||||
@allowed_directories.setter
|
||||
def allowed_directories(self, directories):
|
||||
self._allowed_directories = directories
|
||||
|
||||
@property
|
||||
def filename(self):
|
||||
return self._filename
|
||||
@ -54,8 +65,9 @@ class FileManager:
|
||||
@property
|
||||
def files(self):
|
||||
return [self._relpath(file) for file in glob(join(self._workdir, '**/*'), recursive=True)
|
||||
if isfile(file) and
|
||||
not any(fnmatchcase(file, blacklisted) for blacklisted in self.exclude)]
|
||||
if isfile(file)
|
||||
and self._is_whitelisted(file)
|
||||
and not any(fnmatchcase(file, blacklisted) for blacklisted in self.exclude)]
|
||||
|
||||
@property
|
||||
def file_contents(self):
|
||||
@ -67,6 +79,9 @@ class FileManager:
|
||||
with open(self._filepath(self.filename), 'w', errors='surrogateescape') as ofile:
|
||||
ofile.write(value)
|
||||
|
||||
def _is_whitelisted(self, file):
|
||||
return any(realpath(file).startswith(allowed_dir) for allowed_dir in self.allowed_directories)
|
||||
|
||||
def _filepath(self, filename):
|
||||
return join(self._workdir, filename)
|
||||
|
||||
@ -75,9 +90,11 @@ class FileManager:
|
||||
|
||||
|
||||
class SourceCodeEventHandler(TriggerlessEventHandler):
|
||||
def __init__(self, key, directory, selected_file=None, exclude=None):
|
||||
# pylint: disable=too-many-arguments
|
||||
def __init__(self, key, directory, allowed_directories, selected_file=None, exclude=None):
|
||||
super().__init__(key)
|
||||
self.filemanager = FileManager(directory, selected_file=selected_file, exclude=exclude)
|
||||
self.filemanager = FileManager(allowed_directories=allowed_directories, working_directory=directory,
|
||||
selected_file=selected_file, exclude=exclude)
|
||||
|
||||
self.commands = {'read': self.read,
|
||||
'write': self.write,
|
||||
|
@ -5,6 +5,7 @@ from tfw.components.terminado_mini_server import TerminadoMiniServer
|
||||
from tfw.event_handler_base import TriggerlessEventHandler
|
||||
from tfw.config import TFWENV
|
||||
from tfw.config.logs import logging
|
||||
from tao.config import TAOENV
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
@ -14,7 +15,8 @@ class TerminadoEventHandler(TriggerlessEventHandler):
|
||||
super().__init__(key)
|
||||
self.working_directory = TFWENV.TERMINADO_DIR
|
||||
self._historymonitor = monitor
|
||||
self.terminado_server = TerminadoMiniServer('/terminal', TFWENV.TERMINADO_PORT, TFWENV.TERMINADO_WD, ['bash'])
|
||||
bash_as_user_cmd = ['sudo', '-u', TAOENV.USER, 'bash']
|
||||
self.terminado_server = TerminadoMiniServer('/terminal', TFWENV.TERMINADO_PORT, TFWENV.TERMINADO_WD, bash_as_user_cmd)
|
||||
self.commands = {'write': self.write,
|
||||
'read': self.read}
|
||||
if self._historymonitor:
|
||||
|
@ -1,5 +1,5 @@
|
||||
[supervisord]
|
||||
user=user
|
||||
user=root
|
||||
logfile = /tmp/supervisord.log
|
||||
loglevel = debug
|
||||
pidfile = /tmp/supervisord.pid
|
||||
@ -18,9 +18,5 @@ command=/usr/sbin/nginx -g 'daemon off;'
|
||||
autostart=true
|
||||
autorestart=true
|
||||
|
||||
[program:app]
|
||||
directory=%(ENV_TFW_APP_DIR)s
|
||||
command=python3 app.py
|
||||
|
||||
[include]
|
||||
files=%(ENV_TFW_SUPERVISORD_COMPONENTS)s/*.conf
|
||||
|
Loading…
Reference in New Issue
Block a user