(hertzbeat) branch master updated: [Improve] script command blacklist (#2438)

Thu, 01 Aug 2024 19:05:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

gongchao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hertzbeat.git


The following commit(s) were added to refs/heads/master by this push:
     new 2a3f4dfa8 [Improve] script command blacklist (#2438)
2a3f4dfa8 is described below

commit 2a3f4dfa80f6c1f221eae732d64ba6a678b97b3f
Author: Jast <[email protected]>
AuthorDate: Fri Aug 2 10:05:10 2024 +0800

    [Improve] script command blacklist (#2438)
---
 .../collect/common/ssh/CommonSshBlacklist.java     | 114 +++++++++++++++++++++
 .../collector/collect/ssh/SshCollectImpl.java      |   8 ++
 2 files changed, 122 insertions(+)

diff --git 
a/collector/src/main/java/org/apache/hertzbeat/collector/collect/common/ssh/CommonSshBlacklist.java
 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/common/ssh/CommonSshBlacklist.java
new file mode 100644
index 000000000..edbb08649
--- /dev/null
+++ 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/common/ssh/CommonSshBlacklist.java
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hertzbeat.collector.collect.common.ssh;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Command blacklist
+ */
+public class CommonSshBlacklist {
+
+    private static final Set<String> BLACKLIST;
+
+    static {
+        Set<String> tempSet = new HashSet<>();
+        initializeDefaultBlacklist(tempSet);
+        BLACKLIST = Collections.unmodifiableSet(tempSet);
+    }
+
+    private CommonSshBlacklist() {
+        // Prevent instantiation
+    }
+
+    private static void initializeDefaultBlacklist(Set<String> blacklist) {
+        // Adding default dangerous commands to blacklist
+        blacklist.add("rm ");
+        blacklist.add("mv ");
+        blacklist.add("cp ");
+        blacklist.add("ln ");
+        blacklist.add("dd ");
+        blacklist.add("tar ");
+        blacklist.add("zip ");
+        blacklist.add("bzip2 ");
+        blacklist.add("bunzip2 ");
+        blacklist.add("xz ");
+        blacklist.add("unxz ");
+        blacklist.add("kill ");
+        blacklist.add("killall ");
+        blacklist.add("reboot");
+        blacklist.add("shutdown");
+        blacklist.add("poweroff");
+        blacklist.add("init 0");
+        blacklist.add("init 6");
+        blacklist.add("telinit 0");
+        blacklist.add("telinit 6");
+        blacklist.add("systemctl halt");
+        blacklist.add("systemctl suspend");
+        blacklist.add("systemctl hibernate");
+        blacklist.add("service reboot");
+        blacklist.add("service shutdown");
+        blacklist.add("crontab -e");
+        blacklist.add("visudo");
+        blacklist.add("useradd");
+        blacklist.add("userdel");
+        blacklist.add("usermod");
+        blacklist.add("groupadd");
+        blacklist.add("groupdel");
+        blacklist.add("groupmod");
+        blacklist.add("passwd");
+        blacklist.add("su ");
+        blacklist.add("sudo ");
+        blacklist.add("mount ");
+        blacklist.add("parted");
+        blacklist.add("mkpart");
+        blacklist.add("partprobe");
+        blacklist.add("iptables");
+        blacklist.add("firewalld");
+        blacklist.add("nft");
+        blacklist.add("nc ");
+        blacklist.add("netcat");
+        blacklist.add("ssh ");
+        blacklist.add("scp ");
+        blacklist.add("rsync");
+        blacklist.add("ftp ");
+        blacklist.add("sftp ");
+        blacklist.add("telnet ");
+        blacklist.add("chmod ");
+        blacklist.add("chattr ");
+        blacklist.add("dd ");
+        blacklist.add("mknod");
+        blacklist.add("losetup");
+        blacklist.add("cryptsetup");
+    }
+
+    public static boolean isCommandBlacklisted(String command) {
+        if (command == null || command.trim().isEmpty()) {
+            throw new IllegalArgumentException("Command cannot be null or 
empty");
+        }
+        String trimmedCommand = command.trim();
+        return BLACKLIST.stream().anyMatch(trimmedCommand::contains);
+    }
+
+    public static Set<String> getBlacklist() {
+        return BLACKLIST;
+    }
+
+}
diff --git 
a/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java
 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java
index fddbf7abf..dfed8e7a6 100644
--- 
a/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java
+++ 
b/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java
@@ -38,6 +38,7 @@ import org.apache.hertzbeat.collector.collect.AbstractCollect;
 import org.apache.hertzbeat.collector.collect.common.cache.CacheIdentifier;
 import 
org.apache.hertzbeat.collector.collect.common.cache.ConnectionCommonCache;
 import org.apache.hertzbeat.collector.collect.common.cache.SshConnect;
+import org.apache.hertzbeat.collector.collect.common.ssh.CommonSshBlacklist;
 import org.apache.hertzbeat.collector.collect.common.ssh.CommonSshClient;
 import org.apache.hertzbeat.collector.dispatch.DispatchConstants;
 import org.apache.hertzbeat.collector.util.CollectUtil;
@@ -85,6 +86,7 @@ public class SshCollectImpl extends AbstractCollect {
 
     @Override
     public void collect(CollectRep.MetricsData.Builder builder, long 
monitorId, String app, Metrics metrics) {
+
         long startTime = System.currentTimeMillis();
         SshProtocol sshProtocol = metrics.getSsh();
         boolean reuseConnection = 
Boolean.parseBoolean(sshProtocol.getReuseConnection());
@@ -93,6 +95,12 @@ public class SshCollectImpl extends AbstractCollect {
         ClientSession clientSession = null;
         try {
             clientSession = getConnectSession(sshProtocol, timeout, 
reuseConnection);
+            if 
(CommonSshBlacklist.isCommandBlacklisted(sshProtocol.getScript())) {
+                builder.setCode(CollectRep.Code.FAIL);
+                builder.setMsg("The command is blacklisted: " + 
sshProtocol.getScript());
+                log.warn("The command is blacklisted: {}", 
sshProtocol.getScript());
+                return;
+            }
             channel = clientSession.createExecChannel(sshProtocol.getScript());
             ByteArrayOutputStream response = new ByteArrayOutputStream();
             channel.setOut(response);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to