xenofem/python-zulip-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

bots: Audit filesystem access.

Browse source 
This adds a safe function for opening files via
ExternalBotHandler. This restricts open calls to a bot's
local directory.

Finalizes #9
This commit is contained in:
derAnfaenger 2017-07-25 16:04:38 +02:00
parent e619c19b36
commit f3eaa381f6
2 changed files with 19 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
zulip_botserver/zulip_botserver/server.py
View file

@ -1,6 +1,7 @@
from __future__ import absolute_import
from __future__ import print_function
import os
import sys
import json
import optparse
@ -47,12 +48,13 @@ def handle_bot(bot):
# type: (str) -> Union[str, BadRequest]
if bot not in available_bots:
return BadRequest("requested bot service {} not supported".format(bot))
client = Client(email=bots_config[bot]["email"],
api_key=bots_config[bot]["key"],
site=bots_config[bot]["site"])
try:
restricted_client = ExternalBotHandler(client)
bot_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'bots', bot)
restricted_client = ExternalBotHandler(client, bot_dir)
except SystemExit:
return BadRequest("Cannot fetch user profile for bot {}, make sure you have set up the flaskbotrc "
"file correctly.".format(bot))