disallow shell scripting in web by default

2026-04-20 15:56:00 +00:00 · 2022-03-20 11:17:49 +01:00
parent 6fb582249c
commit 2bec053809
11 changed files with 204 additions and 75 deletions
--- a/packages/web/src/impexp/ScriptWriter.ts
+++ b/packages/web/src/impexp/ScriptWriter.ts
@@ -1,58 +0,0 @@
-import _ from 'lodash';
-import { extractShellApiFunctionName, extractShellApiPlugins } from 'dbgate-tools';
-
-export default class ScriptWriter {
-  s = '';
-  packageNames: string[] = [];
-  varCount = 0;
-
-  constructor(varCount = '0') {
-    this.varCount = parseInt(varCount) || 0;
-  }
-
-  allocVariable(prefix = 'var') {
-    this.varCount += 1;
-    return `${prefix}${this.varCount}`;
-  }
-
-  put(s = '') {
-    this.s += s;
-    this.s += '\n';
-  }
-
-  assign(variableName, functionName, props) {
-    this.put(`const ${variableName} = await ${extractShellApiFunctionName(functionName)}(${JSON.stringify(props)});`);
-    this.packageNames.push(...extractShellApiPlugins(functionName, props));
-  }
-
-  assignValue(variableName, jsonValue) {
-    this.put(`const ${variableName} = ${JSON.stringify(jsonValue)};`);
-  }
-
-  requirePackage(packageName) {
-    this.packageNames.push(packageName);
-  }
-
-  copyStream(sourceVar, targetVar, colmapVar = null) {
-    if (colmapVar) {
-      this.put(`await dbgateApi.copyStream(${sourceVar}, ${targetVar}, {columns: ${colmapVar}});`);
-    } else {
-      this.put(`await dbgateApi.copyStream(${sourceVar}, ${targetVar});`);
-    }
-  }
-
-  comment(s) {
-    this.put(`// ${s}`);
-  }
-
-  getScript(schedule = null) {
-    const packageNames = this.packageNames;
-    let prefix = _.uniq(packageNames)
-      .map(packageName => `// @require ${packageName}\n`)
-      .join('');
-    if (schedule) prefix += `// @schedule ${schedule}`;
-    if (prefix) prefix += '\n';
-
-    return prefix + this.s;
-  }
-}
--- a/packages/web/src/impexp/createImpExpScript.ts
+++ b/packages/web/src/impexp/createImpExpScript.ts
@@ -1,5 +1,5 @@
 import _ from 'lodash';
-import ScriptWriter from './ScriptWriter';
+import { ScriptWriter, ScriptWriterJson } from 'dbgate-tools';
 import getAsArray from '../utility/getAsArray';
 import { getConnectionInfo } from '../utility/metadataLoaders';
 import { findEngineDriver, findObjectLike } from 'dbgate-tools';
@@ -187,8 +187,12 @@ export function normalizeExportColumnMap(colmap) {
  return null;
 }

-export default async function createImpExpScript(extensions, values, addEditorInfo = true) {
-  const script = new ScriptWriter(values.startVariableIndex || 0);
+export default async function createImpExpScript(extensions, values, addEditorInfo = true, forceScript = false) {
+  const config = getCurrentConfig();
+  const script =
+    config.allowShellScripting || forceScript
+      ? new ScriptWriter(values.startVariableIndex || 0)
+      : new ScriptWriterJson(values.startVariableIndex || 0);

  const [sourceConnection, sourceDriver] = await getConnection(
    extensions,
@@ -222,7 +226,7 @@ export default async function createImpExpScript(extensions, values, addEditorIn
    }

    script.copyStream(sourceVar, targetVar, colmapVar);
-    script.put();
+    script.endLine();
  }
  if (addEditorInfo) {
    script.comment('@ImportExportConfigurator');
--- a/packages/web/src/modals/ImportExportModal.svelte
+++ b/packages/web/src/modals/ImportExportModal.svelte
@@ -16,7 +16,7 @@
  import { getDefaultFileFormat } from '../plugins/fileformats';
  import RunnerOutputFiles from '../query/RunnerOutputFiles.svelte';
  import SocketMessageView from '../query/SocketMessageView.svelte';
-  import { currentArchive, currentDatabase, extensions, selectedWidget } from '../stores';
+  import { currentArchive, currentDatabase, extensions, getCurrentConfig, selectedWidget } from '../stores';
  import { apiCall, apiOff, apiOn } from '../utility/api';
  import createRef from '../utility/createRef';
  import openNewTab from '../utility/openNewTab';
@@ -90,7 +90,7 @@

  const handleGenerateScript = async e => {
    closeCurrentModal();
-    const code = await createImpExpScript($extensions, e.detail);
+    const code = await createImpExpScript($extensions, e.detail, undefined, true);
    openNewTab(
      {
        title: 'Shell #',
@@ -108,7 +108,7 @@
    const script = await createImpExpScript($extensions, values);
    executeNumber += 1;
    let runid = runnerId;
-    const resp = await apiCall('runners/start', { script, isGeneratedScript: true });
+    const resp = await apiCall('runners/start', { script });
    runid = resp.runid;
    runnerId = runid;

--- a/packages/web/src/tabs/ShellTab.svelte
+++ b/packages/web/src/tabs/ShellTab.svelte
@@ -12,6 +12,7 @@
    execute: true,
    toggleComment: true,
    findReplace: true,
+    executeAdditionalCondition: () => getCurrentConfig().allowShellScripting,
  });

  registerCommand({
@@ -51,6 +52,7 @@
  import AceEditor from '../query/AceEditor.svelte';
  import RunnerOutputPane from '../query/RunnerOutputPane.svelte';
  import useEditorData from '../query/useEditorData';
+  import { getCurrentConfig } from '../stores';
  import { apiCall, apiOff, apiOn } from '../utility/api';
  import { copyTextToClipboard } from '../utility/clipboard';
  import { changeTab } from '../utility/common';
@@ -177,6 +179,11 @@
    const resp = await apiCall('runners/start', {
      script: getActiveScript(),
    });
+    if (resp.errorMessage) {
+      showSnackbarError(resp.errorMessage);
+      return;
+    }
+
    runid = resp.runid;
    runnerId = runid;
    busy = true;
--- a/packages/web/src/utility/exportFileTools.ts
+++ b/packages/web/src/utility/exportFileTools.ts
@@ -1,9 +1,10 @@
-import ScriptWriter from '../impexp/ScriptWriter';
+import { ScriptWriter, ScriptWriterJson } from 'dbgate-tools';
 import getElectron from './getElectron';
 import { showSnackbar, showSnackbarInfo, showSnackbarError, closeSnackbar } from '../utility/snackbar';
 import resolveApi from './resolveApi';
 import { apiCall, apiOff, apiOn } from './api';
 import { normalizeExportColumnMap } from '../impexp/createImpExpScript';
+import { getCurrentConfig } from '../stores';

 export async function exportQuickExportFile(dataName, reader, format, columnMap = null) {
  const electron = getElectron();
@@ -25,7 +26,7 @@ export async function exportQuickExportFile(dataName, reader, format, columnMap

  if (!filePath) return;

-  const script = new ScriptWriter();
+  const script = getCurrentConfig().allowShellScripting ? new ScriptWriter() : new ScriptWriterJson();

  const sourceVar = script.allocVariable();
  script.assign(sourceVar, reader.functionName, reader.props);
@@ -42,9 +43,9 @@ export async function exportQuickExportFile(dataName, reader, format, columnMap
  }

  script.copyStream(sourceVar, targetVar, colmapVar);
-  script.put();
+  script.endLine();

-  const resp = await apiCall('runners/start', { script: script.getScript(), isGeneratedScript: true });
+  const resp = await apiCall('runners/start', { script: script.getScript() });
  const runid = resp.runid;
  let isCanceled = false;