fix: fix some security issues

2025-07-17 07:49:55 +00:00 · 2023-11-12 22:22:05 +02:00
parent 62dd77317d
commit e03fcbfab5
11 changed files with 47 additions and 33 deletions
--- a/src/ahriman/application/ahriman.py
+++ b/src/ahriman/application/ahriman.py
@ -87,11 +87,11 @@ def _parser() -> argparse.ArgumentParser:
    parser.add_argument("--repository-id", help=argparse.SUPPRESS)
    parser.add_argument("--unsafe", help="allow to run ahriman as non-ahriman user. Some actions might be unavailable",
                        action="store_true")
+    parser.add_argument("-V", "--version", action="version", version=__version__)
    parser.add_argument("--wait-timeout", help="wait for lock to be free. Negative value will lead to "
                                               "immediate application run even if there is lock file. "
                                               "In case of zero value, the application will wait infinitely",
                        type=int, default=-1)
-    parser.add_argument("-V", "--version", action="version", version=__version__)

    subparsers = parser.add_subparsers(title="command", help="command to run", dest="command")

@ -178,8 +178,8 @@ def _set_help_commands_unsafe_parser(root: SubParserAction) -> argparse.Argument
    """
    parser = root.add_parser("help-commands-unsafe", help="list unsafe commands",
                             description="list unsafe commands as defined in default args", formatter_class=_formatter)
-    parser.add_argument("command", help="instead of showing commands, just test command line for unsafe subcommand "
-                                        "and return 0 in case if command is safe and 1 otherwise", nargs="*")
+    parser.add_argument("subcommand", help="instead of showing commands, just test command line for unsafe subcommand "
+                                           "and return 0 in case if command is safe and 1 otherwise", nargs="*")
    parser.set_defaults(handler=handlers.UnsafeCommands, architecture="", lock=None, quiet=True, report=False,
                        repository="", unsafe=True, parser=_parser)
    return parser
@ -198,7 +198,7 @@ def _set_help_parser(root: SubParserAction) -> argparse.ArgumentParser:
    parser = root.add_parser("help", help="show help message",
                             description="show help message for application or command and exit",
                             formatter_class=_formatter)
-    parser.add_argument("command", help="show help message for specific command", nargs="?")
+    parser.add_argument("subcommand", help="show help message for specific command", nargs="?")
    parser.set_defaults(handler=handlers.Help, architecture="", lock=None, quiet=True, report=False, repository="",
                        unsafe=True, parser=_parser)
    return parser
--- a/src/ahriman/application/handlers/help.py
+++ b/src/ahriman/application/handlers/help.py
@ -44,7 +44,7 @@ class Help(Handler):
            report(bool): force enable or disable reporting
        """
        parser: argparse.ArgumentParser = args.parser()
-        if args.command is None:
+        if args.subcommand is None:
            parser.parse_args(["--help"])
        else:
-            parser.parse_args([args.command, "--help"])
+            parser.parse_args([args.subcommand, "--help"])
--- a/src/ahriman/application/handlers/unsafe_commands.py
+++ b/src/ahriman/application/handlers/unsafe_commands.py
@ -46,8 +46,8 @@ class UnsafeCommands(Handler):
        """
        parser = args.parser()
        unsafe_commands = UnsafeCommands.get_unsafe_commands(parser)
-        if args.command:
-            UnsafeCommands.check_unsafe(args.command, unsafe_commands, parser)
+        if args.subcommand:
+            UnsafeCommands.check_unsafe(args.subcommand, unsafe_commands, parser)
        else:
            for command in unsafe_commands:
                StringPrinter(command)(verbose=True)
--- a/src/ahriman/web/views/static.py
+++ b/src/ahriman/web/views/static.py
@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-from aiohttp.web import HTTPFound
+from aiohttp.web import HTTPFound, HTTPNotFound

 from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
@ -40,5 +40,8 @@ class StaticView(BaseView):

        Raises:
            HTTPFound: on success response
+            HTTPNotFound: if path is invalid or unknown
        """
-        raise HTTPFound(f"/static{self.request.path}")
+        if self.request.path in self.ROUTES:  # explicit validation
+            raise HTTPFound(f"/static{self.request.path}")
+        raise HTTPNotFound