I have a small app in go that handles http requests by executing a process and providing it with some input from the query string that a user supplied with the request. I was wondering what is the best way to filter that input against remote execution. The PHP alternative for example would be something like: http://php.net/manual/en/function.escapeshellarg.php
Right now the input should be a valid URL if that makes it easier, but ideally a generic filter would be preferred.
分享 Generally magic functions like that are very hard to get right and often they will leave your application open to attacks if you rely heavily on them.
I would recommend that you use a smart URL/request scheme to get the commands you need to run and put some level of interpretation in between the user request and your shell execution so no parameters given by the user is used directly.
You could get request that contain ?verbose=true and translate them to -v on the command line eg. When dealing with user input like strings that need to be directly given to the command being run you need to do simple escaping with quotes (with a simple check to see if the input contain quotes) to ensure you don't run into a "Bobby Tables" problem.
An alternative way would be to have your program and the underlying command exchange data through pipes or files eg. which would reduce the likeliness of leaving command input an open attack vector.
分享
