Allow command arguments in schedule #635
Conversation
|
How do we prevent OS command injections here without validating the arguments? It's the primary reason I never added support for it. |
|
these aren't os level commands, these are just artisan commands. And second, if you have access to use the endpoint, you are an admin. In this case, you can probably access the OS anyways |
|
Being an administrator on SeAT does not (and should not) mean you are an OS administrator. A quick dig again through some of the internals of I'm curious enough to PoC this soon actually :) |
|
I have been browsing through the code a bit and I haven't found what you mean with |
|
Alright I spent a few minutes on this and a face value it seems like I am wrong. Wrote a simple command like this: // app/Console/Commands/ArgPoc.php
<?php
namespace App\Console\Commands;
use Illuminate\Console\Command;
use Illuminate\Support\Facades\Log;
class ArgPoc extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'poc:args {argname}';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Argument Injection POC';
/**
* Execute the console command.
*
* @return int
*/
public function handle()
{
Log::info('running command with args: ' . $this->argument('argname'));
return Command::SUCCESS;
}
}And a simple route like this: // routes/web.php
Route::get('/poc/{args}', function($args) {
$exitCode = Artisan::call('poc:args ' . $args);
return $exitCode;
});Injecting a command via the URL as a test seems to have no effect :) |
command arguments in schedule styleci+comments
command arguments in schedule styleci+comments
…sivetree/web into schedule-command-arguments
|
I updated this PR for seat 5 |
This pr allows you to add a command with argument to the seat command schedule.
fixes eveseat/seat#867.