run/sculpt: confirm command execution

In order to prevent untrusted goarc files to execute malicious commands via target_opt(sculpt-cmd), users must confirm the command execution interactively. genodelabs#99
jschlatow · Sep 12, 2024 · 838c084 · 838c084
1 parent 9675bdc
commit 838c084
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/share/goa/lib/run/sculpt.tcl b/share/goa/lib/run/sculpt.tcl
@@ -71,8 +71,20 @@ proc run_genode { } {
  if {[info exists target_opt($target-cmd)]} {
  set opt_cmd "SERVER=$host;"
  append opt_cmd {*}$target_opt($target-cmd)
- spawn sh -c "$opt_cmd"
- set cmd_spawn_id $spawn_id
+
+ # ask user for confirmation before spawning optional command
+ send_user "Do you want to run '$opt_cmd'? \[Y/n]: "
+ set choice [expect_user {
+ -nocase n { expr 0 }
+ -nocase y { expr 1 }
+ -re "\n" { expr 1 }
+ timeout { expr 0 }
+ }]
+
+ if {$choice} {
+ spawn sh -c "$opt_cmd"
+ set cmd_spawn_id $spawn_id
+ }
  }
 
  eval spawn -noecho telnet $host $port_telnet