Skip to content

Commit

Permalink
Add simple whitelist (can contain false negatives)
Browse files Browse the repository at this point in the history
The buffer is unchecked
  • Loading branch information
ChillerDragon committed Nov 21, 2024
1 parent 23ff06f commit 4fd997b
Showing 1 changed file with 34 additions and 4 deletions.
38 changes: 34 additions & 4 deletions lib/include/audit_code.sh
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ _audit_code_system_whitelisted_rcons=(
" log_info(\"server\", \"| rcon password: '%s' |\", Config()->m_SvRconPassword);"
)

_audit_code_system_whitelisted_shell_executes=(
'PROCESS shell_execute(const char *file, EShellExecuteWindowState window_state)'
'm_ServerProcess.m_Process = shell_execute(aBuf, EShellExecuteWindowState::BACKGROUND);'
'shell_execute(aRestartBinaryPath, EShellExecuteWindowState::FOREGROUND);'
)

function _get_grep_context() {
# SYNOPSIS:
# _get_grep_context <line>
Expand Down Expand Up @@ -213,12 +219,36 @@ function audit_code_shell() {
}

function audit_code_shell_execute() {
local match
match="$(grep -iErn 'shell_execute' src)"
if [ "$match" != "" ]
local matches=""
local line
local line_chopped
local buf

while IFS= read -r line
do
local detect=1
line_chopped="$(_chop_grep_line "$line")"
line_chopped="$(trim "$line_chopped")"
for buf in "${_audit_code_system_whitelisted_shell_executes[@]}"
do
buf="$(trim "$buf")"
if [ "$line_chopped" == "$buf" ]
then
detect=0
break
fi
done
if [ "$detect" = 1 ]
then
# appends 'line' to 'matches' with an actual newline character
printf -v matches '%s%s\n' "$matches" "$line"
fi
done < <(grep -iErn 'shell_execute' src)

if [ "$matches" != "" ]
then
audit_wrn "$(tput bold)WARNING$(tput sgr0): found call to shell_execute (ddnets exec wrapper)"
echo "$match" | awk '{ print "\t" $0}'
printf '%s' "$matches" | awk '{ print "\t" $0}'
fi
}

Expand Down

0 comments on commit 4fd997b

Please sign in to comment.