* Secure terminal write with command validation * Prevents execution of malicious or dangerous commands through plugin API * @param {string} id - Terminal ID * @param {string} data - Data to write
(id, data)
| 421 | * @param {string} data - Data to write |
| 422 | */ |
| 423 | #secureTerminalWrite(id, data) { |
| 424 | if (typeof data !== "string") { |
| 425 | console.warn("Terminal write data must be a string"); |
| 426 | return; |
| 427 | } |
| 428 | |
| 429 | // List of potentially dangerous commands/patterns to block |
| 430 | const dangerousPatterns = [ |
| 431 | // System commands that can cause damage |
| 432 | /^\s*rm\s+-rf?\s+\/[^\r\n]*[\r\n]?$/m, |
| 433 | /^\s*rm\s+-rf?\s+\*[^\r\n]*[\r\n]?$/m, |
| 434 | /^\s*rm\s+-rf?\s+~[^\r\n]*[\r\n]?$/m, |
| 435 | /^\s*mkfs\.[^\r\n]*[\r\n]?$/m, |
| 436 | /^\s*dd\s+if=\/[^\r\n]*[\r\n]?$/m, |
| 437 | /^\s*:(){ :|:& };:[^\r\n]*[\r\n]?$/m, // Fork bomb |
| 438 | /^\s*sudo\s+dd\s+if=\/[^\r\n]*[\r\n]?$/m, |
| 439 | /^\s*sudo\s+rm\s+-rf?\s+\/[^\r\n]*[\r\n]?$/m, |
| 440 | /^\s*curl\s+[^\r\n]*\|\s*sh[^\r\n]*[\r\n]?$/m, |
| 441 | /^\s*wget\s+[^\r\n]*\|\s*sh[^\r\n]*[\r\n]?$/m, |
| 442 | /^\s*bash\s+<\s*\([^\r\n]*[\r\n]?$/m, |
| 443 | /^\s*sh\s+<\s*\([^\r\n]*[\r\n]?$/m, |
| 444 | |
| 445 | // Network-based attacks |
| 446 | /^\s*nc\s+-l\s+-p\s+\d+[^\r\n]*[\r\n]?$/m, |
| 447 | /^\s*ncat\s+-l\s+-p\s+\d+[^\r\n]*[\r\n]?$/m, |
| 448 | /^\s*python\s+.*SimpleHTTPServer[^\r\n]*[\r\n]?$/m, |
| 449 | /^\s*python\s+.*http\.server[^\r\n]*[\r\n]?$/m, |
| 450 | |
| 451 | // Process manipulation |
| 452 | /^\s*kill\s+-9\s+1\s*[\r\n]?$/m, |
| 453 | /^\s*killall\s+-9\s+\*[^\r\n]*[\r\n]?$/m, |
| 454 | |
| 455 | // File system manipulation |
| 456 | /^\s*chmod\s+777\s+\/[^\r\n]*[\r\n]?$/m, |
| 457 | /^\s*chown\s+[^\s]+\s+\/[^\r\n]*[\r\n]?$/m, |
| 458 | |
| 459 | // Sensitive file access attempts |
| 460 | /^\s*cat\s+\/etc\/passwd[^\r\n]*[\r\n]?$/m, |
| 461 | /^\s*cat\s+\/etc\/shadow[^\r\n]*[\r\n]?$/m, |
| 462 | /^\s*cat\s+\/root\/[^\r\n]*[\r\n]?$/m, |
| 463 | |
| 464 | // Only block null bytes |
| 465 | /\x00/g, |
| 466 | ]; |
| 467 | |
| 468 | // Check for dangerous patterns |
| 469 | for (const pattern of dangerousPatterns) { |
| 470 | if (pattern.test(data)) { |
| 471 | console.warn( |
| 472 | `Blocked potentially dangerous terminal command: ${data.substring(0, 50)}...`, |
| 473 | ); |
| 474 | toast("Potentially dangerous command blocked for security", 3000); |
| 475 | return; |
| 476 | } |
| 477 | } |
| 478 | |
| 479 | // Additional checks for suspicious character sequences |
| 480 | if (data.includes("$(") && data.includes(")")) { |
no test coverage detected