Skip to content
Snippets Groups Projects
Commit aae28174 authored by Jan Kožusznik's avatar Jan Kožusznik
Browse files

move prevention to code injection into own code

parent 785e187f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
java-scpclient/src/main/java/cz/it4i/fiji/scpclient/ScpClient.java
+ 13
8
View file @ aae28174
...@@ -89,8 +89,7 @@ public class ScpClient extends AbstractBaseSshClient { ...@@ -89,8 +89,7 @@ public class ScpClient extends AbstractBaseSshClient {
AckowledgementChecker ack = new AckowledgementChecker(); AckowledgementChecker ack = new AckowledgementChecker();
// exec 'scp -f rfile' remotely // exec 'scp -f rfile' remotely
lfile = lfile.replace("'", "'\"'\"'"); lfile = sanityFileName(lfile);
lfile = "'" + lfile + "'";
String command = "scp -f " + lfile; String command = "scp -f " + lfile;
Channel channel = getConnectedSession().openChannel("exec"); Channel channel = getConnectedSession().openChannel("exec");
...@@ -233,8 +232,7 @@ public class ScpClient extends AbstractBaseSshClient { ...@@ -233,8 +232,7 @@ public class ScpClient extends AbstractBaseSshClient {
AckowledgementChecker ack = new AckowledgementChecker(); AckowledgementChecker ack = new AckowledgementChecker();
// exec 'scp -f rfile' remotely // exec 'scp -f rfile' remotely
lfile = lfile.replace("'", "'\"'\"'"); lfile = sanityFileName(lfile);
lfile = "'" + lfile + "'";
String command = "scp -f " + lfile; String command = "scp -f " + lfile;
Channel channel = getConnectedSession().openChannel("exec"); Channel channel = getConnectedSession().openChannel("exec");
...@@ -291,7 +289,7 @@ public class ScpClient extends AbstractBaseSshClient { ...@@ -291,7 +289,7 @@ public class ScpClient extends AbstractBaseSshClient {
// exec 'scp -f rfile' remotely // exec 'scp -f rfile' remotely
Channel channel = getConnectedSession().openChannel("sftp"); Channel channel = getConnectedSession().openChannel("sftp");
lfile = sanityFileName(lfile);
try { try {
channel.connect(); channel.connect();
return ((List<LsEntry>) ((ChannelSftp) channel).ls(lfile)).stream().map( return ((List<LsEntry>) ((ChannelSftp) channel).ls(lfile)).stream().map(
...@@ -319,10 +317,9 @@ public class ScpClient extends AbstractBaseSshClient { ...@@ -319,10 +317,9 @@ public class ScpClient extends AbstractBaseSshClient {
boolean ptimestamp = false; boolean ptimestamp = false;
// exec 'scp -t rfile' remotely // exec 'scp -t rfile' remotely
fileName = fileName.replace("'", "'\"'\"'"); fileName = sanityFileName(fileName);
String command = "scp " + (ptimestamp ? "-p" : "") + " -t '" + fileName + String command = "scp " + (ptimestamp ? "-p" : "") + " -t " + fileName;
"'";
Channel channel = getConnectedSession().openChannel("exec"); Channel channel = getConnectedSession().openChannel("exec");
((ChannelExec) channel).setCommand(command); ((ChannelExec) channel).setCommand(command);
// get I/O streams for remote scp // get I/O streams for remote scp
...@@ -389,9 +386,17 @@ public class ScpClient extends AbstractBaseSshClient { ...@@ -389,9 +386,17 @@ public class ScpClient extends AbstractBaseSshClient {
} }
} }
private String sanityFileName(String fileName) {
fileName = fileName.replace("\"", "\\\\\\\"");
fileName = fileName.replace("'", "\\\\\\'");
fileName = "'" + fileName + "'";
return fileName;
}
private int mkdir(String file) throws JSchException { private int mkdir(String file) throws JSchException {
ChannelExec channel = (ChannelExec) getConnectedSession().openChannel( ChannelExec channel = (ChannelExec) getConnectedSession().openChannel(
"exec"); "exec");
file = sanityFileName(file);
channel.setCommand("mkdir -p '" + file + "'"); channel.setCommand("mkdir -p '" + file + "'");
try { try {
channel.connect(); channel.connect();
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment