JFIF$        dd7 

Viewing File: /usr/share/cagefs/__pycache__/check_params.cpython-311.pyc

�

G��߰�&��	�"�ddlZddlZddlZddlZddlmZdZdZd�Zd�Z	d�Z
d�Zd	�Zd
�Z
dd�Zd
�Zdd�Zd�Zd�Zd�Zdd�Zdd�Zedkr@ejeejdejdejdd�����dSdS)�N)�Listz/etc/cagefs/filters�Pc�2�|rt||z��dSdS)N)�print)�debug�msg�argss   �`/builddir/build/BUILDROOT/cagefs-7.6.28-1.el9.cloudlinux.x86_64/usr/share/cagefs/check_params.py�dmesgrs,����
�c�D�j��������c��	tj�|��}ttj�t
d|z��d��}t
j|��}|���n#t$rYdSwxYwt|��dkrd|vsd|vsd|vr|S|�||�dd����S)	z*
    Load JSON config by command name
    z%s.json�rN��allow�deny�
restrict_path�default)�os�path�basename�open�join�CONFIGS_DIR�json�load�close�	Exception�len�get)�command_path�name�f�full_configs    r
�load_configr$s�����w����-�-�������k�9�t�+;�<�<�c�B�B���i��l�l��	���	�	�	�	�������t�t������;���1���'�[�"8�"8�"(�K�"7�"7�"1�[�"@�"@����?�?�<�����D�)I�)I�J�J�Js�A=B�
B�
Bc�,�|�d��S)z�
    Return True if arg is a long option name, not a parameter of an option
    Long options start with a *double* dash.

    :param arg: option or parameter
    :type arg: string
    �--)�
startswith��args r
�is_long_optionr*+s���>�>�$���rc�L�|�d��ot|��S)z�
    Return True if arg is a short option name, not a parameter of an option
    Short options start with a *single* dash.

    :param arg: option or parameter
    :type arg: string
    �-)r'r*r(s r
�is_short_optionr-5s&���>�>�#���:�~�c�':�':�#:�:rc��t|��ot|��}t|��ot|��}|p|S)z\
    Return True if both arguments were options of the same type, either long or short.
    )r-r*)�arg1�arg2�
same_short�	same_longs    r
�is_same_option_typer3?sC��!��&�&�@�?�4�+@�+@�J��t�$�$�=���)=�)=�I��"�
�"rc��|rjt||��sdSt|��r|�d��d|kSt|��r|dd�|vSt	d���|�|��S)a$
    Look for the flag inside the provided commandline argument.
    The search algorithm depends on the `strict` parameter.

    With strict processing:
    * short options are treated as possible clusters, and finding a match anywhere
    inside the argument string means that the flag is present.
    * long options are split on `=` to discard their values, then compared in entirety.

    Without it, the flag is simply compared to the start of the argument string.

    :param arg: Argument string to look inside of.
    :param flag: Flag to look for.
    :param strict: Strict processing switch.
    :raises RuntimeError: When the arg and the flag are both of the same
    option type, but arg somehow is neither a long nor a short option.
    :return: True if flag was found, False otherwise.
    F�=rrNz>Argument and flag option types match, but arg is not an option)r3r*�splitr-�
ValueErrorr')r)�flag�stricts   r
�is_flag_presentr:Gs���(�$�"�3��-�-�	��5��#���	_��9�9�S�>�>�!�$��,�,�
�S�
!�
!�
	_�����8�s�?�"��]�^�^�^��~�~�d�#�#�#rFc�V�|D]%}|dkrdS|D]}t|||��rdS��&dS)aR
    Check if there are any forbidden options present in the arguments.

    :param args: The argument list to check, without the program name.
    :param deny_list: The list of forbidden options.
    :param strict_flag: Strict processing, see `is_flag_present`.
    :return: True if any forbidden flags are present, False otherwise.
    r&FT)r:)r	�	deny_list�strict_flagr)�opts     r
�has_denied_paramsr?rsb�������$�;�;��5�5��	�	�C��s�C��5�5�
��t�t�t�
�	��5rc����t|��r)|dd�}�fd�|D��}t|��rdSt|��r!|�d��d}|�vrdSdS)z�
    Strict variant of checking for non-allowed parameters.

    :param arg: Argument to check.
    :param allow_list: List of allowed options.
    :return: True if any non-allowed options are present, False otherwise.
    rNc3�&�K�|]}d|z�vV��dS)r,N�)�.0r>�
allow_lists  �r
�	<genexpr>z&strict_extra_params.<locals>.<genexpr>�s,�����M�M�#�C��G�:�5�M�M�M�M�M�MrTr5rF)r-�anyr*r6)r)rD�arg_no_dash�opts_not_allowed�	long_names `   r
�strict_extra_paramsrJ�s�����s�����!�"�"�g��M�M�M�M��M�M�M���� � �	��4��c�����I�I�c�N�N�1�%�	��J�&�&��4��5rc��|D]F}|r|dkrdSt||��rdS�!t|��st|��r||vrdS�GdS)a�
    Check if all used args are allowed for the program.

    :param args: The program's argv, without the program name.
    :param allow_list: A list of allowed arguments. Dashes in front of names are present.
    :param strict_flag: Strict processing flag, operates similarly to `is_flag_present`.
    :return: Returns True if there are any arguments not in the allowed list, False otherwise.
    r&FT)rJr-r*)r	rDr=r)s    r
�has_extra_paramsrL�s��������	��d�{�{��u�u�$�S�*�5�5�
��t�t�
� ��$�$�
��s�(;�(;�
�#�Z�BW�BW��t�t���5rc��tjd��tjttjz||z��tj��dS)z4
    Wrapper for syslog or other logging system
    zcagefs.check_paramsN)�syslog�openlog�LOG_AUTHPRIV�LOG_PID�closelog)�messager	s  r
�to_logrT�sF���N�(�)�)�)�
�M�,���/��4��@�@�@�
�O�����rc�8�|dkrdS|ddkr|�d�S|S)N��/���rB)rs r
�addslashrY�s.���r�z�z��s��R��C���������Krc���ttj�|����}d|z}|dks|�d��r3tj�|�d|����S||ks|�|dz��r3tj�|�||����Stj�|��S)N�~z~/rW)rYrr�realpathr'�replace)r�user�home_dir�userpaths    r
�
expanduserra�s������(�(��2�2�3�3�H��4�x�H��s�{�{�d�o�o�d�+�+�{��w������S�(� ;� ;�<�<�<��x���4�?�?�8�C�<�8�8���w������X�x� @� @�A�A�A�
�7���D�!�!�!rc
��ttj�|����}t	|��D�]<\}}||vr�	||dz}	n#t
$rY�#wxYwt
|	||��}	t|	��}	|	�|��sFt|d|||||dz��td|||||dz��dS��|D]�}
|�|
��r|t|
��d�}	t
|	||��}	t|	��}	|	�|��s3t|d|||��td|||��dS����>dS)aT
    Return True when args contain paths that refer outside of user's home directory
    :param args: parameters (options) from command line
    :type args: list of strings
    :param restrict_path_list: names of parameters (options) that should use paths inside user's home directory only
    :type restrict_path_list: list of strings
    rz0Attempt to call program %s with %s %s parametersTNz,Attempt to call program %s with %s parameterF)rYrrr\�	enumerate�
IndexErrorrar'rrTr)r^�homedirr r	�restrict_path_listrr_�ir)rr>s           r
�
check_pathrh�s������(�(��1�1�2�2�H��D�/�/�$�$���3��$�$�$�
��A�a�C�y�����
�
�
���
�����d�D�(�3�3�D��D�>�>�D��?�?�8�,�,�
��e�O�Q]�_c�de�_f�hl�mn�op�mp�hq�r�r�r��I�<�Y]�^_�Y`�bf�gh�ij�gj�bk�l�l�l��t�t�
�
*�	
$�	
$���>�>�#�&�&�$��s�3�x�x�y�y�>�D�%�d�D�(�;�;�D�#�D�>�>�D��?�?�8�4�4�$��e�%S�Ua�cg�hi�cj�k�k�k��M�|�]a�bc�]d�e�e�e�#�t�t�t��	
$��5s�A�
A �A c��t|��dkrt|d��dSt|��dkrt|d|d��dS|d}|dd�}t|��}t|dt|����|st|d|��dS|�d	d��}|�d
d��}|�dd��}	|�dd
��}
|s|s|	st|d��dS|r|rt|d��dS|r4t|||
��r#t|d|��t
d|��dS|r4t|||
��r#t|d|��t
d|��dS|	rt|||||	|��rdSt|d��dS)z�
    Program main function
    :params - list of strings that specify command and its parameters, such as ['/path/command', '-a', 'arg', '-C', '/path/to/config']
    rzNo parameters specifiedr�z8Command has no parameters. Allow execution of command %sNz
config: %sz/Config not found. Allow execution of command %srrr�strict_optionsFz,empty config - allow user to run the commandzWinvalid config - both allow and deny lists are specified. allow user to run the commandz1Attempt to call program %s with denied parametersz0Attempt to call program %s with extra parameterszExecution allowed)	rrr$�strrr?rTrLrh)r^re�paramsrr r	�configrDr<rfr=s           r
�mainro�s���6�{�{�a���
�e�.�/�/�/��q��6�{�{�Q���
�e�O�QW�XY�QZ�[�[�[��q��!�9�L��!�"�"�:�D�
��
&�
&�F�	�%��s�6�{�{�+�+�+���
�e�F��U�U�U��q����G�T�*�*�J��
�
�6�4�(�(�I����O�T�:�:���*�*�-�u�5�5�K���)��'9��
�e�C�D�D�D��q���i��
�e�n�o�o�o��q���&�t�Y��D�D��
�e�H�,�W�W�W��B�L�Q�Q�Q��q���&�t�Z��E�E��
�e�G��V�V�V��A�<�P�P�P��q���j��w��d�L^�`e�f�f���q�	�%�$�%�%�%��1r�__main__rrj�)F)rr�sysrN�typingrrrPrr$r*r-r3r:r?rJrLrTrYrarhro�__name__�exit�argvrBrr
�<module>rws�������	�	�	�	�
�
�
�
�
�
�
�
�������$�������
K�K�K�, � � �;�;�;�#�#�#�($�($�($�V����*���:����,������"�"�"�!�!�!�!�J3
�3
�3
�3
�l�z����C�H�T�T�#�(�1�+�s�x��{�C�H�Q�R�R�L�
9�
9�:�:�:�:�:��r
Back to Directory  nL+D550H?Mx ,D"v]qv;6*Zqn)ZP0!1 A "#a$2Qr D8 a Ri[f\mIykIw0cuFcRı?lO7к_f˓[C$殷WF<_W ԣsKcëIzyQy/_LKℂ;C",pFA:/]=H  ~,ls/9ć:[=/#f;)x{ٛEQ )~ =𘙲r*2~ a _V=' kumFD}KYYC)({ *g&f`툪ry`=^cJ.I](*`wq1dđ#̩͑0;H]u搂@:~וKL Nsh}OIR*8:2 !lDJVo(3=M(zȰ+i*NAr6KnSl)!JJӁ* %݉?|D}d5:eP0R;{$X'xF@.ÊB {,WJuQɲRI;9QE琯62fT.DUJ;*cP A\ILNj!J۱+O\͔]ޒS߼Jȧc%ANolՎprULZԛerE2=XDXgVQeӓk yP7U*omQIs,K`)6\G3t?pgjrmۛجwluGtfh9uyP0D;Uڽ"OXlif$)&|ML0Zrm1[HXPlPR0'G=i2N+0e2]]9VTPO׮7h(F*癈'=QVZDF,d߬~TX G[`le69CR(!S2!P <0x<!1AQ "Raq02Br#SCTb ?Ζ"]mH5WR7k.ۛ!}Q~+yԏz|@T20S~Kek *zFf^2X*(@8r?CIuI|֓>^ExLgNUY+{.RѪ τV׸YTD I62'8Y27'\TP.6d&˦@Vqi|8-OΕ]ʔ U=TL8=;6c| !qfF3aů&~$l}'NWUs$Uk^SV:U# 6w++s&r+nڐ{@29 gL u"TÙM=6(^"7r}=6YݾlCuhquympǦ GjhsǜNlɻ}o7#S6aw4!OSrD57%|?x>L |/nD6?/8w#[)L7+6〼T ATg!%5MmZ/c-{1_Je"|^$'O&ޱմTrb$w)R$& N1EtdU3Uȉ1pM"N*(DNyd96.(jQ)X 5cQɎMyW?Q*!R>6=7)Xj5`J]e8%t!+'!1Q5 !1 AQaqё#2"0BRb?Gt^## .llQT $v,,m㵜5ubV =sY+@d{N! dnO<.-B;_wJt6;QJd.Qc%p{ 1,sNDdFHI0ГoXшe黅XۢF:)[FGXƹ/w_cMeD,ʡcc.WDtA$j@:) -# u c1<@ۗ9F)KJ-hpP]_x[qBlbpʖw q"LFGdƶ*s+ډ_Zc"?%t[IP 6J]#=ɺVvvCGsGh1 >)6|ey?Lӣm,4GWUi`]uJVoVDG< SB6ϏQ@ TiUlyOU0kfV~~}SZ@*WUUi##; s/[=!7}"WN]'(L! ~y5g9T̅JkbM' +s:S +B)v@Mj e Cf jE 0Y\QnzG1д~Wo{T9?`Rmyhsy3!HAD]mc1~2LSu7xT;j$`}4->L#vzŏILS ֭T{rjGKC;bpU=-`BsK.SFw4Mq]ZdHS0)tLg