arguments.go 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619
  1. package executor
  2. import (
  3. config "github.com/OliveTin/OliveTin/internal/config"
  4. "github.com/OliveTin/OliveTin/internal/entities"
  5. "github.com/OliveTin/OliveTin/internal/tpl"
  6. log "github.com/sirupsen/logrus"
  7. "fmt"
  8. "net/mail"
  9. "net/url"
  10. "regexp"
  11. "strings"
  12. "time"
  13. )
  14. var (
  15. typecheckRegex = map[string]string{
  16. "very_dangerous_raw_string": "",
  17. "int": `^\d+$`,
  18. "unicode_identifier": `^[\w\-\.\_\d]+$`,
  19. "ascii": `^[a-zA-Z0-9]+$`,
  20. "ascii_identifier": `^[a-zA-Z0-9\-\._]+$`,
  21. "shell_safe_identifier": `^[a-zA-Z0-9@\.\_\+\-]+$`,
  22. "ascii_sentence": `^[a-zA-Z0-9\-\._, ]+$`,
  23. }
  24. )
  25. // parseExecArray parses all exec arguments in the action.
  26. func parseExecArray(action *config.Action, values map[string]string, entity *entities.Entity) ([]string, error) {
  27. parsed := make([]string, len(action.Exec))
  28. for i, segment := range action.Exec {
  29. out, err := parseExecSegment(segment, values, entity)
  30. if err != nil {
  31. return nil, err
  32. }
  33. parsed[i] = out
  34. }
  35. return parsed, nil
  36. }
  37. func parseActionExec(values map[string]string, action *config.Action, entity *entities.Entity) ([]string, error) {
  38. if action == nil {
  39. return nil, fmt.Errorf("action is nil")
  40. }
  41. if err := validateArguments(values, action); err != nil {
  42. return nil, err
  43. }
  44. parsed, err := parseExecArray(action, values, entity)
  45. if err != nil {
  46. return nil, err
  47. }
  48. logParsedExec(action, parsed, values)
  49. return parsed, nil
  50. }
  51. func parseExecSegment(arg string, values map[string]string, entity *entities.Entity) (string, error) {
  52. return tpl.ParseTemplateWithActionContext(arg, entity, values)
  53. }
  54. func validateArguments(values map[string]string, action *config.Action) error {
  55. for _, arg := range action.Arguments {
  56. if err := typecheckActionArgument(&arg, values[arg.Name], action); err != nil {
  57. return err
  58. }
  59. log.WithFields(log.Fields{"name": arg.Name, "value": values[arg.Name]}).Debugf("Arg assigned")
  60. }
  61. return nil
  62. }
  63. func logParsedExec(action *config.Action, parsed []string, values map[string]string) {
  64. redacted := redactExecArgs(parsed, action.Arguments, values)
  65. log.WithFields(log.Fields{"actionTitle": action.Title, "cmd": redacted}).Infof("Action parse args - After (Exec)")
  66. }
  67. func parseActionArguments(req *ExecutionRequest) (string, error) {
  68. log.WithFields(log.Fields{
  69. "actionTitle": req.Binding.Action.Title,
  70. "cmd": req.Binding.Action.Shell,
  71. }).Infof("Action parse args - Before")
  72. for _, arg := range req.Binding.Action.Arguments {
  73. argName := arg.Name
  74. argValue := req.Arguments[argName]
  75. err := typecheckActionArgument(&arg, argValue, req.Binding.Action)
  76. if err != nil {
  77. return "", err
  78. }
  79. log.WithFields(log.Fields{
  80. "name": argName,
  81. "value": argValue,
  82. }).Debugf("Arg assigned")
  83. }
  84. parsedShellCommand, err := tpl.ParseTemplateWithActionContext(req.Binding.Action.Shell, req.Binding.Entity, req.Arguments)
  85. if err != nil {
  86. return "", err
  87. }
  88. redactedShellCommand := redactShellCommand(parsedShellCommand, req.Binding.Action.Arguments, req.Arguments)
  89. log.WithFields(log.Fields{
  90. "actionTitle": req.Binding.Action.Title,
  91. "cmd": redactedShellCommand,
  92. }).Infof("Action parse args - After")
  93. return parsedShellCommand, nil
  94. }
  95. //gocyclo:ignore
  96. func redactShellCommand(shellCommand string, arguments []config.ActionArgument, argumentValues map[string]string) string {
  97. for _, arg := range arguments {
  98. if arg.Type == "password" {
  99. argValue, exists := argumentValues[arg.Name]
  100. if !exists {
  101. log.Warnf("Redact shell command: Argument %s not found in values", arg.Name)
  102. continue
  103. }
  104. if argValue == "" {
  105. continue
  106. }
  107. shellCommand = strings.ReplaceAll(shellCommand, argValue, "<redacted>")
  108. }
  109. }
  110. return shellCommand
  111. }
  112. //gocyclo:ignore
  113. func redactExecArgs(execArgs []string, arguments []config.ActionArgument, argumentValues map[string]string) []string {
  114. redacted := make([]string, len(execArgs))
  115. for i, arg := range execArgs {
  116. redacted[i] = redactShellCommand(arg, arguments, argumentValues)
  117. }
  118. return redacted
  119. }
  120. func argumentSkipsValidation(arg *config.ActionArgument) bool {
  121. switch arg.Type {
  122. case "confirmation", "html":
  123. return true
  124. default:
  125. return false
  126. }
  127. }
  128. func typecheckActionArgument(arg *config.ActionArgument, value string, action *config.Action) error {
  129. if argumentSkipsValidation(arg) {
  130. return nil
  131. }
  132. if arg.Name == "" {
  133. return fmt.Errorf("argument name cannot be empty")
  134. }
  135. return typecheckActionArgumentFound(value, arg)
  136. }
  137. // ValidateArgument validates a single argument value using the same logic as the executor.
  138. // It applies mangling transformations and performs full validation including null checks,
  139. // choice validation, and type safety checks.
  140. func ValidateArgument(arg *config.ActionArgument, value string, action *config.Action) error {
  141. if arg == nil {
  142. return fmt.Errorf("ValidateArgument: arg is nil")
  143. }
  144. if action == nil {
  145. return fmt.Errorf("ValidateArgument: action is nil")
  146. }
  147. // Apply mangling transformations
  148. mangledValue := MangleArgumentValue(arg, value, action.Title)
  149. // Use the same validation path as the executor
  150. return typecheckActionArgument(arg, mangledValue, action)
  151. }
  152. func typecheckActionArgumentFound(value string, arg *config.ActionArgument) error {
  153. if value == "" {
  154. return typecheckNull(arg)
  155. }
  156. if arg.Type == "checklist" {
  157. return typecheckChecklist(value, arg)
  158. }
  159. if len(arg.Choices) > 0 {
  160. return typecheckChoice(value, arg)
  161. }
  162. return TypeSafetyCheck(arg.Name, value, arg.Type)
  163. }
  164. // TypeSafetyCheck checks argument values match a specific type. The types are
  165. // defined in typecheckRegex, and, you guessed it, uses regex to check for allowed
  166. // characters.
  167. //
  168. //gocyclo:ignore
  169. func TypeSafetyCheck(name string, value string, argumentType string) error {
  170. switch argumentType {
  171. case "password":
  172. return nil
  173. case "raw_string_multiline":
  174. return nil
  175. case "checkbox":
  176. return nil
  177. case "checklist":
  178. return nil
  179. case "email":
  180. return typeSafetyCheckEmail(value)
  181. case "url":
  182. return typeSafetyCheckUrl(value)
  183. case "datetime":
  184. return typeSafetyCheckDatetime(value)
  185. }
  186. return typeSafetyCheckRegex(name, value, argumentType)
  187. }
  188. func typecheckNull(arg *config.ActionArgument) error {
  189. if arg.RejectNull {
  190. return fmt.Errorf("null values are not allowed")
  191. }
  192. return nil
  193. }
  194. func typecheckChecklist(value string, arg *config.ActionArgument) error {
  195. if len(arg.Choices) == 0 {
  196. return fmt.Errorf("checklist argument %q requires choices", arg.Name)
  197. }
  198. segments, err := config.ParseChecklistValue(value)
  199. if err != nil {
  200. return err
  201. }
  202. return typecheckChecklistSegments(segments, arg)
  203. }
  204. func typecheckChecklistSegments(segments []string, arg *config.ActionArgument) error {
  205. for _, segment := range segments {
  206. if err := typecheckChecklistSegment(segment, arg); err != nil {
  207. return err
  208. }
  209. }
  210. return nil
  211. }
  212. func typecheckChecklistSegment(segment string, arg *config.ActionArgument) error {
  213. if segment == "" {
  214. return fmt.Errorf("checklist argument %q contains an empty segment", arg.Name)
  215. }
  216. return typecheckChoice(segment, arg)
  217. }
  218. func typecheckChoice(value string, arg *config.ActionArgument) error {
  219. if arg.Entity != "" {
  220. return typecheckChoiceEntity(value, arg)
  221. }
  222. for _, choice := range arg.Choices {
  223. if value == choice.Value {
  224. return nil
  225. }
  226. }
  227. return fmt.Errorf("argument value is not one of the predefined choices")
  228. }
  229. func typecheckChoiceEntity(value string, arg *config.ActionArgument) error {
  230. templateChoice := arg.Choices[0].Value
  231. for _, ent := range entities.GetEntityInstances(arg.Entity) {
  232. choice := tpl.ParseTemplateOfActionBeforeExec(templateChoice, ent)
  233. if value == choice {
  234. return nil
  235. }
  236. }
  237. return fmt.Errorf("argument value cannot be found in entities")
  238. }
  239. func typeSafetyCheckEmail(value string) error {
  240. _, err := mail.ParseAddress(value)
  241. if err != nil {
  242. log.WithField("type", "email").Debugf("Email argument type check failed")
  243. return err
  244. }
  245. return nil
  246. }
  247. func typeSafetyCheckDatetime(value string) error {
  248. _, err := time.Parse("2006-01-02T15:04:05", value)
  249. if err != nil {
  250. return err
  251. }
  252. return nil
  253. }
  254. func anchorCustomRegexPattern(pattern string) string {
  255. if strings.HasPrefix(pattern, "^") && strings.HasSuffix(pattern, "$") {
  256. return pattern
  257. }
  258. return "^(?:" + pattern + ")$"
  259. }
  260. func typeSafetyCheckRegex(name string, value string, argumentType string) error {
  261. pattern := ""
  262. isCustomRegex := strings.HasPrefix(argumentType, "regex:")
  263. if isCustomRegex {
  264. pattern = strings.TrimPrefix(argumentType, "regex:")
  265. pattern = anchorCustomRegexPattern(pattern)
  266. } else {
  267. found := false
  268. pattern, found = typecheckRegex[argumentType]
  269. if !found {
  270. return fmt.Errorf("argument type not implemented %v for arg: %v", argumentType, name)
  271. }
  272. }
  273. matches, _ := regexp.MatchString(pattern, value)
  274. if !matches {
  275. log.WithFields(log.Fields{
  276. "name": name,
  277. "value": value,
  278. "type": argumentType,
  279. "pattern": pattern,
  280. }).Warn("Arg type check safety failure")
  281. return fmt.Errorf("invalid argument %v, doesn't match %v", name, argumentType)
  282. }
  283. return nil
  284. }
  285. func typeSafetyCheckUrl(value string) error {
  286. parsed, err := url.ParseRequestURI(value)
  287. if err != nil {
  288. return err
  289. }
  290. scheme := strings.ToLower(parsed.Scheme)
  291. if scheme != "http" && scheme != "https" {
  292. return fmt.Errorf("url scheme %q is not allowed; only http and https are permitted", parsed.Scheme)
  293. }
  294. return nil
  295. }
  296. var shellUnsafeArgumentTypes = map[string]struct{}{
  297. "url": {},
  298. "email": {},
  299. "raw_string_multiline": {},
  300. "very_dangerous_raw_string": {},
  301. "password": {},
  302. "html": {},
  303. "confirmation": {},
  304. }
  305. func isUnsafeShellArgumentType(arg *config.ActionArgument) bool {
  306. if strings.HasPrefix(arg.Type, "regex:") {
  307. return true
  308. }
  309. _, inMap := shellUnsafeArgumentTypes[arg.Type]
  310. return inMap || (arg.Type == "checkbox" && len(arg.Choices) == 0)
  311. }
  312. func checkShellArgumentSafety(action *config.Action) error {
  313. if action.Shell == "" {
  314. return nil
  315. }
  316. for i := range action.Arguments {
  317. arg := &action.Arguments[i]
  318. if isUnsafeShellArgumentType(arg) {
  319. return fmt.Errorf("unsafe argument type '%s' cannot be used with Shell execution. Use 'exec' instead. See https://docs.olivetin.app/action_execution/shellvsexec.html", arg.Type)
  320. }
  321. }
  322. return nil
  323. }
  324. func mangleInvalidArgumentValues(req *ExecutionRequest) {
  325. for _, arg := range req.Binding.Action.Arguments {
  326. if arg.Type == "datetime" {
  327. mangleInvalidDatetimeValues(req, &arg)
  328. }
  329. mangleCheckboxValues(req, &arg)
  330. mangleChecklistValues(req, &arg)
  331. }
  332. }
  333. func mangleCheckboxValues(req *ExecutionRequest, arg *config.ActionArgument) {
  334. if arg.Type != "checkbox" {
  335. return
  336. }
  337. log.Infof("Checking checkbox values for argument %s in action %s", arg.Name, req.Binding.Action.Title)
  338. for i, v := range arg.Choices {
  339. choice := &arg.Choices[i]
  340. if req.Arguments[arg.Name] == choice.Title {
  341. log.WithFields(log.Fields{
  342. "arg": arg.Name,
  343. "choice": v,
  344. "oldValue": req.Arguments[arg.Name],
  345. "newValue": choice.Value,
  346. "actionTitle": req.Binding.Action.Title,
  347. }).Infof("Mangled checkbox value")
  348. req.Arguments[arg.Name] = choice.Value
  349. }
  350. }
  351. }
  352. func mangleInvalidDatetimeValues(req *ExecutionRequest, arg *config.ActionArgument) {
  353. value, exists := req.Arguments[arg.Name]
  354. if !exists || value == "" {
  355. return
  356. }
  357. timestamp, err := time.Parse("2006-01-02T15:04", value)
  358. if err == nil {
  359. log.WithFields(log.Fields{
  360. "arg": arg.Name,
  361. "value": value,
  362. "actionTitle": req.Binding.Action.Title,
  363. }).Warnf("Mangled invalid datetime value without seconds to :00 seconds, this issue is commonly caused by Android browsers.")
  364. req.Arguments[arg.Name] = timestamp.Format("2006-01-02T15:04:05")
  365. }
  366. }
  367. // MangleArgumentValue applies mangling transformations to a single argument value.
  368. // This is used by the validation API to ensure the value matches what would be
  369. // used during actual execution.
  370. func MangleArgumentValue(arg *config.ActionArgument, value string, actionTitle string) string {
  371. if arg == nil {
  372. log.Debugf("MangleArgumentValue called with nil arg, returning value unchanged")
  373. return value
  374. }
  375. return mangleArgumentValueByType(arg, value, actionTitle)
  376. }
  377. func mangleArgumentValueByType(arg *config.ActionArgument, value string, actionTitle string) string {
  378. switch arg.Type {
  379. case "datetime":
  380. return mangleDatetimeValue(arg, value, actionTitle)
  381. case "checkbox":
  382. return mangleCheckboxValue(arg, value, actionTitle)
  383. case "checklist":
  384. return mangleChecklistValue(arg, value, actionTitle)
  385. default:
  386. return value
  387. }
  388. }
  389. func mangleDatetimeValue(arg *config.ActionArgument, value string, actionTitle string) string {
  390. if arg == nil {
  391. log.Debugf("mangleDatetimeValue called with nil arg, returning value unchanged")
  392. return value
  393. }
  394. if value == "" {
  395. return value
  396. }
  397. timestamp, err := time.Parse("2006-01-02T15:04", value)
  398. if err != nil {
  399. return value
  400. }
  401. log.WithFields(log.Fields{
  402. "arg": arg.Name,
  403. "value": value,
  404. "actionTitle": actionTitle,
  405. }).Warnf("Mangled invalid datetime value without seconds to :00 seconds, this issue is commonly caused by Android browsers.")
  406. return timestamp.Format("2006-01-02T15:04:05")
  407. }
  408. func mangleCheckboxValue(arg *config.ActionArgument, value string, actionTitle string) string {
  409. if arg == nil {
  410. log.Debugf("mangleCheckboxValue called with nil arg, returning value unchanged")
  411. return value
  412. }
  413. return mangleChoiceSegment(arg, value, actionTitle)
  414. }
  415. func mangleChecklistValues(req *ExecutionRequest, arg *config.ActionArgument) {
  416. if arg.Type != "checklist" {
  417. return
  418. }
  419. value, exists := req.Arguments[arg.Name]
  420. if !exists || value == "" {
  421. return
  422. }
  423. req.Arguments[arg.Name] = mangleChecklistValue(arg, value, req.Binding.Action.Title)
  424. }
  425. func mangleChecklistValue(arg *config.ActionArgument, value string, actionTitle string) string {
  426. if arg == nil || value == "" {
  427. return value
  428. }
  429. segments, err := config.ParseChecklistValue(value)
  430. if err != nil {
  431. return value
  432. }
  433. return mangleChecklistSegments(arg, segments, value, actionTitle)
  434. }
  435. func mangleChecklistSegments(arg *config.ActionArgument, segments []string, fallback string, actionTitle string) string {
  436. mangled := make([]string, len(segments))
  437. for i, segment := range segments {
  438. mangled[i] = mangleChecklistSegment(arg, segment, actionTitle)
  439. }
  440. formatted, err := config.FormatChecklistValue(mangled)
  441. if err != nil {
  442. return fallback
  443. }
  444. return formatted
  445. }
  446. func mangleChecklistSegment(arg *config.ActionArgument, segment string, actionTitle string) string {
  447. trimmed := strings.TrimSpace(segment)
  448. if trimmed == "" {
  449. return ""
  450. }
  451. return mangleChoiceSegment(arg, trimmed, actionTitle)
  452. }
  453. func mangleChoiceSegment(arg *config.ActionArgument, value string, actionTitle string) string {
  454. if mapped, ok := mangleChoiceSegmentEntity(arg, value, actionTitle); ok {
  455. return mapped
  456. }
  457. return mangleChoiceSegmentStatic(arg, value, actionTitle)
  458. }
  459. func mangleChoiceSegmentEntity(arg *config.ActionArgument, value string, actionTitle string) (string, bool) {
  460. if arg.Entity == "" || len(arg.Choices) == 0 {
  461. return value, false
  462. }
  463. return mangleEntityTemplateChoiceSegment(arg.Choices[0], arg.Entity, arg.Name, value, actionTitle)
  464. }
  465. func mangleEntityTemplateChoiceSegment(templateChoice config.ActionArgumentChoice, entityName string, argName string, value string, actionTitle string) (string, bool) {
  466. for _, ent := range entities.GetEntityInstancesOrdered(entityName) {
  467. expandedTitle := tpl.ParseTemplateOfActionBeforeExec(templateChoice.Title, ent)
  468. if value != expandedTitle {
  469. continue
  470. }
  471. expandedValue := tpl.ParseTemplateOfActionBeforeExec(templateChoice.Value, ent)
  472. log.WithFields(log.Fields{
  473. "arg": argName,
  474. "oldValue": value,
  475. "newValue": expandedValue,
  476. "actionTitle": actionTitle,
  477. }).Infof("Mangled entity choice segment")
  478. return expandedValue, true
  479. }
  480. return value, false
  481. }
  482. func mangleChoiceSegmentStatic(arg *config.ActionArgument, value string, actionTitle string) string {
  483. for _, choice := range arg.Choices {
  484. if value == choice.Title {
  485. log.WithFields(log.Fields{
  486. "arg": arg.Name,
  487. "oldValue": value,
  488. "newValue": choice.Value,
  489. "actionTitle": actionTitle,
  490. }).Infof("Mangled choice segment")
  491. return choice.Value
  492. }
  493. }
  494. return value
  495. }