arguments.go 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440
  1. package executor
  2. import (
  3. config "github.com/OliveTin/OliveTin/internal/config"
  4. "github.com/OliveTin/OliveTin/internal/entities"
  5. "github.com/OliveTin/OliveTin/internal/tpl"
  6. log "github.com/sirupsen/logrus"
  7. "fmt"
  8. "net/mail"
  9. "net/url"
  10. "regexp"
  11. "strings"
  12. "time"
  13. )
  14. var (
  15. typecheckRegex = map[string]string{
  16. "very_dangerous_raw_string": "",
  17. "int": `^\d+$`,
  18. "unicode_identifier": `^[\w\-\.\_\d]+$`,
  19. "ascii": `^[a-zA-Z0-9]+$`,
  20. "ascii_identifier": `^[a-zA-Z0-9\-\._]+$`,
  21. "ascii_sentence": `^[a-zA-Z0-9\-\._, ]+$`,
  22. }
  23. )
  24. // parseExecArray parses all exec arguments in the action.
  25. func parseExecArray(action *config.Action, values map[string]string, entity *entities.Entity) ([]string, error) {
  26. parsed := make([]string, len(action.Exec))
  27. for i, segment := range action.Exec {
  28. out, err := parseExecSegment(segment, values, entity)
  29. if err != nil {
  30. return nil, err
  31. }
  32. parsed[i] = out
  33. }
  34. return parsed, nil
  35. }
  36. func parseActionExec(values map[string]string, action *config.Action, entity *entities.Entity) ([]string, error) {
  37. if action == nil {
  38. return nil, fmt.Errorf("action is nil")
  39. }
  40. if err := validateArguments(values, action); err != nil {
  41. return nil, err
  42. }
  43. parsed, err := parseExecArray(action, values, entity)
  44. if err != nil {
  45. return nil, err
  46. }
  47. logParsedExec(action, parsed, values)
  48. return parsed, nil
  49. }
  50. func parseExecSegment(arg string, values map[string]string, entity *entities.Entity) (string, error) {
  51. return tpl.ParseTemplateWithActionContext(arg, entity, values)
  52. }
  53. func validateArguments(values map[string]string, action *config.Action) error {
  54. for _, arg := range action.Arguments {
  55. if err := typecheckActionArgument(&arg, values[arg.Name], action); err != nil {
  56. return err
  57. }
  58. log.WithFields(log.Fields{"name": arg.Name, "value": values[arg.Name]}).Debugf("Arg assigned")
  59. }
  60. return nil
  61. }
  62. func logParsedExec(action *config.Action, parsed []string, values map[string]string) {
  63. redacted := redactExecArgs(parsed, action.Arguments, values)
  64. log.WithFields(log.Fields{"actionTitle": action.Title, "cmd": redacted}).Infof("Action parse args - After (Exec)")
  65. }
  66. func parseActionArguments(req *ExecutionRequest) (string, error) {
  67. log.WithFields(log.Fields{
  68. "actionTitle": req.Binding.Action.Title,
  69. "cmd": req.Binding.Action.Shell,
  70. }).Infof("Action parse args - Before")
  71. for _, arg := range req.Binding.Action.Arguments {
  72. argName := arg.Name
  73. argValue := req.Arguments[argName]
  74. err := typecheckActionArgument(&arg, argValue, req.Binding.Action)
  75. if err != nil {
  76. return "", err
  77. }
  78. log.WithFields(log.Fields{
  79. "name": argName,
  80. "value": argValue,
  81. }).Debugf("Arg assigned")
  82. }
  83. parsedShellCommand, err := tpl.ParseTemplateWithActionContext(req.Binding.Action.Shell, req.Binding.Entity, req.Arguments)
  84. if err != nil {
  85. return "", err
  86. }
  87. redactedShellCommand := redactShellCommand(parsedShellCommand, req.Binding.Action.Arguments, req.Arguments)
  88. log.WithFields(log.Fields{
  89. "actionTitle": req.Binding.Action.Title,
  90. "cmd": redactedShellCommand,
  91. }).Infof("Action parse args - After")
  92. return parsedShellCommand, nil
  93. }
  94. //gocyclo:ignore
  95. func redactShellCommand(shellCommand string, arguments []config.ActionArgument, argumentValues map[string]string) string {
  96. for _, arg := range arguments {
  97. if arg.Type == "password" {
  98. argValue, exists := argumentValues[arg.Name]
  99. if !exists {
  100. log.Warnf("Redact shell command: Argument %s not found in values", arg.Name)
  101. continue
  102. }
  103. if argValue == "" {
  104. continue
  105. }
  106. shellCommand = strings.ReplaceAll(shellCommand, argValue, "<redacted>")
  107. }
  108. }
  109. return shellCommand
  110. }
  111. //gocyclo:ignore
  112. func redactExecArgs(execArgs []string, arguments []config.ActionArgument, argumentValues map[string]string) []string {
  113. redacted := make([]string, len(execArgs))
  114. for i, arg := range execArgs {
  115. redacted[i] = redactShellCommand(arg, arguments, argumentValues)
  116. }
  117. return redacted
  118. }
  119. func typecheckActionArgument(arg *config.ActionArgument, value string, action *config.Action) error {
  120. if arg.Type == "confirmation" {
  121. return nil
  122. }
  123. if arg.Name == "" {
  124. return fmt.Errorf("argument name cannot be empty")
  125. }
  126. return typecheckActionArgumentFound(value, arg)
  127. }
  128. // ValidateArgument validates a single argument value using the same logic as the executor.
  129. // It applies mangling transformations and performs full validation including null checks,
  130. // choice validation, and type safety checks.
  131. func ValidateArgument(arg *config.ActionArgument, value string, action *config.Action) error {
  132. if arg == nil {
  133. return fmt.Errorf("ValidateArgument: arg is nil")
  134. }
  135. if action == nil {
  136. return fmt.Errorf("ValidateArgument: action is nil")
  137. }
  138. // Apply mangling transformations
  139. mangledValue := MangleArgumentValue(arg, value, action.Title)
  140. // Use the same validation path as the executor
  141. return typecheckActionArgument(arg, mangledValue, action)
  142. }
  143. func typecheckActionArgumentFound(value string, arg *config.ActionArgument) error {
  144. if value == "" {
  145. return typecheckNull(arg)
  146. }
  147. if len(arg.Choices) > 0 {
  148. return typecheckChoice(value, arg)
  149. }
  150. return TypeSafetyCheck(arg.Name, value, arg.Type)
  151. }
  152. // TypeSafetyCheck checks argument values match a specific type. The types are
  153. // defined in typecheckRegex, and, you guessed it, uses regex to check for allowed
  154. // characters.
  155. //
  156. //gocyclo:ignore
  157. func TypeSafetyCheck(name string, value string, argumentType string) error {
  158. switch argumentType {
  159. case "password":
  160. return nil
  161. case "raw_string_multiline":
  162. return nil
  163. case "checkbox":
  164. return nil
  165. case "email":
  166. return typeSafetyCheckEmail(value)
  167. case "url":
  168. return typeSafetyCheckUrl(value)
  169. case "datetime":
  170. return typeSafetyCheckDatetime(value)
  171. }
  172. return typeSafetyCheckRegex(name, value, argumentType)
  173. }
  174. func typecheckNull(arg *config.ActionArgument) error {
  175. if arg.RejectNull {
  176. return fmt.Errorf("null values are not allowed")
  177. }
  178. return nil
  179. }
  180. func typecheckChoice(value string, arg *config.ActionArgument) error {
  181. if arg.Entity != "" {
  182. return typecheckChoiceEntity(value, arg)
  183. }
  184. for _, choice := range arg.Choices {
  185. if value == choice.Value {
  186. return nil
  187. }
  188. }
  189. return fmt.Errorf("argument value is not one of the predefined choices")
  190. }
  191. func typecheckChoiceEntity(value string, arg *config.ActionArgument) error {
  192. templateChoice := arg.Choices[0].Value
  193. for _, ent := range entities.GetEntityInstances(arg.Entity) {
  194. choice := tpl.ParseTemplateOfActionBeforeExec(templateChoice, ent)
  195. if value == choice {
  196. return nil
  197. }
  198. }
  199. return fmt.Errorf("argument value cannot be found in entities")
  200. }
  201. func typeSafetyCheckEmail(value string) error {
  202. _, err := mail.ParseAddress(value)
  203. log.Errorf("Email check: %v, %v", err, value)
  204. if err != nil {
  205. return err
  206. }
  207. return nil
  208. }
  209. func typeSafetyCheckDatetime(value string) error {
  210. _, err := time.Parse("2006-01-02T15:04:05", value)
  211. if err != nil {
  212. return err
  213. }
  214. return nil
  215. }
  216. func typeSafetyCheckRegex(name string, value string, argumentType string) error {
  217. pattern := ""
  218. if strings.HasPrefix(argumentType, "regex:") {
  219. pattern = strings.Replace(argumentType, "regex:", "", 1)
  220. } else {
  221. found := false
  222. pattern, found = typecheckRegex[argumentType]
  223. if !found {
  224. return fmt.Errorf("argument type not implemented %v for arg: %v", argumentType, name)
  225. }
  226. }
  227. matches, _ := regexp.MatchString(pattern, value)
  228. if !matches {
  229. log.WithFields(log.Fields{
  230. "name": name,
  231. "value": value,
  232. "type": argumentType,
  233. "pattern": pattern,
  234. }).Warn("Arg type check safety failure")
  235. return fmt.Errorf("invalid argument %v, doesn't match %v", name, argumentType)
  236. }
  237. return nil
  238. }
  239. func typeSafetyCheckUrl(value string) error {
  240. _, err := url.ParseRequestURI(value)
  241. return err
  242. }
  243. func checkShellArgumentSafety(action *config.Action) error {
  244. if action.Shell == "" {
  245. return nil
  246. }
  247. unsafe := map[string]struct{}{"url": {}, "email": {}, "raw_string_multiline": {}, "very_dangerous_raw_string": {}, "password": {}}
  248. for _, arg := range action.Arguments {
  249. if _, bad := unsafe[arg.Type]; bad {
  250. return fmt.Errorf("unsafe argument type '%s' cannot be used with Shell execution. Use 'exec' instead. See https://docs.olivetin.app/action_execution/shellvsexec.html", arg.Type)
  251. }
  252. }
  253. return nil
  254. }
  255. func mangleInvalidArgumentValues(req *ExecutionRequest) {
  256. for _, arg := range req.Binding.Action.Arguments {
  257. if arg.Type == "datetime" {
  258. mangleInvalidDatetimeValues(req, &arg)
  259. }
  260. mangleCheckboxValues(req, &arg)
  261. }
  262. }
  263. func mangleCheckboxValues(req *ExecutionRequest, arg *config.ActionArgument) {
  264. if arg.Type != "checkbox" {
  265. return
  266. }
  267. log.Infof("Checking checkbox values for argument %s in action %s", arg.Name, req.Binding.Action.Title)
  268. for i, v := range arg.Choices {
  269. choice := &arg.Choices[i]
  270. if req.Arguments[arg.Name] == choice.Title {
  271. log.WithFields(log.Fields{
  272. "arg": arg.Name,
  273. "choice": v,
  274. "oldValue": req.Arguments[arg.Name],
  275. "newValue": choice.Value,
  276. "actionTitle": req.Binding.Action.Title,
  277. }).Infof("Mangled checkbox value")
  278. req.Arguments[arg.Name] = choice.Value
  279. }
  280. }
  281. }
  282. func mangleInvalidDatetimeValues(req *ExecutionRequest, arg *config.ActionArgument) {
  283. value, exists := req.Arguments[arg.Name]
  284. if !exists || value == "" {
  285. return
  286. }
  287. timestamp, err := time.Parse("2006-01-02T15:04", value)
  288. if err == nil {
  289. log.WithFields(log.Fields{
  290. "arg": arg.Name,
  291. "value": value,
  292. "actionTitle": req.Binding.Action.Title,
  293. }).Warnf("Mangled invalid datetime value without seconds to :00 seconds, this issue is commonly caused by Android browsers.")
  294. req.Arguments[arg.Name] = timestamp.Format("2006-01-02T15:04:05")
  295. }
  296. }
  297. // MangleArgumentValue applies mangling transformations to a single argument value.
  298. // This is used by the validation API to ensure the value matches what would be
  299. // used during actual execution.
  300. func MangleArgumentValue(arg *config.ActionArgument, value string, actionTitle string) string {
  301. if arg == nil {
  302. log.Debugf("MangleArgumentValue called with nil arg, returning value unchanged")
  303. return value
  304. }
  305. if arg.Type == "datetime" {
  306. return mangleDatetimeValue(arg, value, actionTitle)
  307. }
  308. if arg.Type == "checkbox" {
  309. return mangleCheckboxValue(arg, value, actionTitle)
  310. }
  311. return value
  312. }
  313. func mangleDatetimeValue(arg *config.ActionArgument, value string, actionTitle string) string {
  314. if arg == nil {
  315. log.Debugf("mangleDatetimeValue called with nil arg, returning value unchanged")
  316. return value
  317. }
  318. if value == "" {
  319. return value
  320. }
  321. timestamp, err := time.Parse("2006-01-02T15:04", value)
  322. if err != nil {
  323. return value
  324. }
  325. log.WithFields(log.Fields{
  326. "arg": arg.Name,
  327. "value": value,
  328. "actionTitle": actionTitle,
  329. }).Warnf("Mangled invalid datetime value without seconds to :00 seconds, this issue is commonly caused by Android browsers.")
  330. return timestamp.Format("2006-01-02T15:04:05")
  331. }
  332. func mangleCheckboxValue(arg *config.ActionArgument, value string, actionTitle string) string {
  333. if arg == nil {
  334. log.Debugf("mangleCheckboxValue called with nil arg, returning value unchanged")
  335. return value
  336. }
  337. for _, choice := range arg.Choices {
  338. if value == choice.Title {
  339. log.WithFields(log.Fields{
  340. "arg": arg.Name,
  341. "oldValue": value,
  342. "newValue": choice.Value,
  343. "actionTitle": actionTitle,
  344. }).Infof("Mangled checkbox value")
  345. return choice.Value
  346. }
  347. }
  348. return value
  349. }