arguments.go 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469
  1. package executor
  2. import (
  3. config "github.com/OliveTin/OliveTin/internal/config"
  4. "github.com/OliveTin/OliveTin/internal/entities"
  5. "github.com/OliveTin/OliveTin/internal/fileupload"
  6. "github.com/OliveTin/OliveTin/internal/tpl"
  7. log "github.com/sirupsen/logrus"
  8. "fmt"
  9. "net/mail"
  10. "net/url"
  11. "regexp"
  12. "strings"
  13. "time"
  14. )
  15. var (
  16. typecheckRegex = map[string]string{
  17. "very_dangerous_raw_string": "",
  18. "int": `^\d+$`,
  19. "unicode_identifier": `^[\w\-\.\_\d]+$`,
  20. "ascii": `^[a-zA-Z0-9]+$`,
  21. "ascii_identifier": `^[a-zA-Z0-9\-\._]+$`,
  22. "ascii_sentence": `^[a-zA-Z0-9\-\._, ]+$`,
  23. }
  24. )
  25. // parseExecArray parses all exec arguments in the action.
  26. func parseExecArray(action *config.Action, templateArgs map[string]any, entity *entities.Entity) ([]string, error) {
  27. parsed := make([]string, len(action.Exec))
  28. for i, segment := range action.Exec {
  29. out, err := parseExecSegment(segment, templateArgs, entity)
  30. if err != nil {
  31. return nil, err
  32. }
  33. parsed[i] = out
  34. }
  35. return parsed, nil
  36. }
  37. func prepareExecArguments(req *ExecutionRequest) error {
  38. if err := validateArguments(req); err != nil {
  39. return err
  40. }
  41. return finalizeFileUploadArguments(req)
  42. }
  43. func execRequestAction(req *ExecutionRequest) (*config.Action, error) {
  44. if req == nil || req.Binding == nil {
  45. return nil, fmt.Errorf("request or binding is nil")
  46. }
  47. if req.Binding.Action == nil {
  48. return nil, fmt.Errorf("action is nil")
  49. }
  50. return req.Binding.Action, nil
  51. }
  52. func parseActionExec(req *ExecutionRequest) ([]string, error) {
  53. action, err := execRequestAction(req)
  54. if err != nil {
  55. return nil, err
  56. }
  57. if err := prepareExecArguments(req); err != nil {
  58. return nil, err
  59. }
  60. tmpl := buildTemplateArgumentMap(req)
  61. parsed, err := parseExecArray(action, tmpl, req.Binding.Entity)
  62. if err != nil {
  63. return nil, err
  64. }
  65. logParsedExec(action, parsed, req.Arguments)
  66. return parsed, nil
  67. }
  68. func parseExecSegment(arg string, templateArgs map[string]any, entity *entities.Entity) (string, error) {
  69. return tpl.ParseTemplateWithActionContext(arg, entity, templateArgs)
  70. }
  71. func uploadRegistryFromExecutor(req *ExecutionRequest) *fileupload.Registry {
  72. if req == nil || req.executor == nil {
  73. return nil
  74. }
  75. return req.executor.UploadRegistry
  76. }
  77. func validateArguments(req *ExecutionRequest) error {
  78. action, err := execRequestAction(req)
  79. if err != nil {
  80. return err
  81. }
  82. reg := uploadRegistryFromExecutor(req)
  83. bindingID := req.Binding.ID
  84. for _, arg := range action.Arguments {
  85. if err := typecheckActionArgument(&arg, req.Arguments[arg.Name], action, reg, bindingID); err != nil {
  86. return err
  87. }
  88. log.WithFields(log.Fields{"name": arg.Name, "value": req.Arguments[arg.Name]}).Debugf("Arg assigned")
  89. }
  90. return nil
  91. }
  92. func logParsedExec(action *config.Action, parsed []string, values map[string]string) {
  93. redacted := redactExecArgs(parsed, action.Arguments, values)
  94. log.WithFields(log.Fields{"actionTitle": action.Title, "cmd": redacted}).Infof("Action parse args - After (Exec)")
  95. }
  96. func parseActionArguments(req *ExecutionRequest) (string, error) {
  97. log.WithFields(log.Fields{
  98. "actionTitle": req.Binding.Action.Title,
  99. "cmd": req.Binding.Action.Shell,
  100. }).Infof("Action parse args - Before")
  101. if err := prepareExecArguments(req); err != nil {
  102. return "", err
  103. }
  104. tmpl := buildTemplateArgumentMap(req)
  105. parsedShellCommand, err := tpl.ParseTemplateWithActionContext(req.Binding.Action.Shell, req.Binding.Entity, tmpl)
  106. if err != nil {
  107. return "", err
  108. }
  109. redactedShellCommand := redactShellCommand(parsedShellCommand, req.Binding.Action.Arguments, req.Arguments)
  110. log.WithFields(log.Fields{
  111. "actionTitle": req.Binding.Action.Title,
  112. "cmd": redactedShellCommand,
  113. }).Infof("Action parse args - After")
  114. return parsedShellCommand, nil
  115. }
  116. //gocyclo:ignore
  117. func redactShellCommand(shellCommand string, arguments []config.ActionArgument, argumentValues map[string]string) string {
  118. for _, arg := range arguments {
  119. if arg.Type == "password" || arg.Type == "file_upload" {
  120. argValue, exists := argumentValues[arg.Name]
  121. if !exists {
  122. log.Warnf("Redact shell command: Argument %s not found in values", arg.Name)
  123. continue
  124. }
  125. if argValue == "" {
  126. continue
  127. }
  128. shellCommand = strings.ReplaceAll(shellCommand, argValue, "<redacted>")
  129. }
  130. }
  131. return shellCommand
  132. }
  133. //gocyclo:ignore
  134. func redactExecArgs(execArgs []string, arguments []config.ActionArgument, argumentValues map[string]string) []string {
  135. redacted := make([]string, len(execArgs))
  136. for i, arg := range execArgs {
  137. redacted[i] = redactShellCommand(arg, arguments, argumentValues)
  138. }
  139. return redacted
  140. }
  141. func typecheckActionArgument(arg *config.ActionArgument, value string, action *config.Action, reg *fileupload.Registry, bindingID string) error {
  142. if arg.Type == "confirmation" {
  143. return nil
  144. }
  145. if arg.Name == "" {
  146. return fmt.Errorf("argument name cannot be empty")
  147. }
  148. if arg.Type == "file_upload" {
  149. return validateFileUploadArg(value, arg, reg, bindingID)
  150. }
  151. return typecheckActionArgumentFound(value, arg)
  152. }
  153. // ValidateArgument validates a single argument value using the same logic as the executor.
  154. // It applies mangling transformations and performs full validation including null checks,
  155. // choice validation, and type safety checks.
  156. func ValidateArgument(arg *config.ActionArgument, value string, action *config.Action, uploadRegistry *fileupload.Registry, bindingID string) error {
  157. if arg == nil {
  158. return fmt.Errorf("ValidateArgument: arg is nil")
  159. }
  160. if action == nil {
  161. return fmt.Errorf("ValidateArgument: action is nil")
  162. }
  163. // Apply mangling transformations
  164. mangledValue := MangleArgumentValue(arg, value, action.Title)
  165. // Use the same validation path as the executor
  166. return typecheckActionArgument(arg, mangledValue, action, uploadRegistry, bindingID)
  167. }
  168. func typecheckActionArgumentFound(value string, arg *config.ActionArgument) error {
  169. if value == "" {
  170. return typecheckNull(arg)
  171. }
  172. if len(arg.Choices) > 0 {
  173. return typecheckChoice(value, arg)
  174. }
  175. return TypeSafetyCheck(arg.Name, value, arg.Type)
  176. }
  177. // TypeSafetyCheck checks argument values match a specific type. The types are
  178. // defined in typecheckRegex, and, you guessed it, uses regex to check for allowed
  179. // characters.
  180. //
  181. //gocyclo:ignore
  182. func TypeSafetyCheck(name string, value string, argumentType string) error {
  183. switch argumentType {
  184. case "password":
  185. return nil
  186. case "file_upload":
  187. return nil
  188. case "raw_string_multiline":
  189. return nil
  190. case "checkbox":
  191. return nil
  192. case "email":
  193. return typeSafetyCheckEmail(value)
  194. case "url":
  195. return typeSafetyCheckUrl(value)
  196. case "datetime":
  197. return typeSafetyCheckDatetime(value)
  198. }
  199. return typeSafetyCheckRegex(name, value, argumentType)
  200. }
  201. func typecheckNull(arg *config.ActionArgument) error {
  202. if arg.RejectNull {
  203. return fmt.Errorf("null values are not allowed")
  204. }
  205. return nil
  206. }
  207. func typecheckChoice(value string, arg *config.ActionArgument) error {
  208. if arg.Entity != "" {
  209. return typecheckChoiceEntity(value, arg)
  210. }
  211. for _, choice := range arg.Choices {
  212. if value == choice.Value {
  213. return nil
  214. }
  215. }
  216. return fmt.Errorf("argument value is not one of the predefined choices")
  217. }
  218. func typecheckChoiceEntity(value string, arg *config.ActionArgument) error {
  219. templateChoice := arg.Choices[0].Value
  220. for _, ent := range entities.GetEntityInstances(arg.Entity) {
  221. choice := tpl.ParseTemplateOfActionBeforeExec(templateChoice, ent)
  222. if value == choice {
  223. return nil
  224. }
  225. }
  226. return fmt.Errorf("argument value cannot be found in entities")
  227. }
  228. func typeSafetyCheckEmail(value string) error {
  229. _, err := mail.ParseAddress(value)
  230. if err != nil {
  231. log.WithField("type", "email").Debugf("Email argument type check failed")
  232. return err
  233. }
  234. return nil
  235. }
  236. func typeSafetyCheckDatetime(value string) error {
  237. _, err := time.Parse("2006-01-02T15:04:05", value)
  238. if err != nil {
  239. return err
  240. }
  241. return nil
  242. }
  243. func typeSafetyCheckRegex(name string, value string, argumentType string) error {
  244. pattern := ""
  245. if strings.HasPrefix(argumentType, "regex:") {
  246. pattern = strings.Replace(argumentType, "regex:", "", 1)
  247. } else {
  248. found := false
  249. pattern, found = typecheckRegex[argumentType]
  250. if !found {
  251. return fmt.Errorf("argument type not implemented %v for arg: %v", argumentType, name)
  252. }
  253. }
  254. matches, _ := regexp.MatchString(pattern, value)
  255. if !matches {
  256. log.WithFields(log.Fields{
  257. "name": name,
  258. "value": value,
  259. "type": argumentType,
  260. "pattern": pattern,
  261. }).Warn("Arg type check safety failure")
  262. return fmt.Errorf("invalid argument %v, doesn't match %v", name, argumentType)
  263. }
  264. return nil
  265. }
  266. func typeSafetyCheckUrl(value string) error {
  267. _, err := url.ParseRequestURI(value)
  268. return err
  269. }
  270. func checkShellArgumentSafety(action *config.Action) error {
  271. if action.Shell == "" {
  272. return nil
  273. }
  274. unsafe := map[string]struct{}{
  275. "url": {}, "email": {}, "raw_string_multiline": {}, "very_dangerous_raw_string": {}, "password": {}, "file_upload": {},
  276. }
  277. for _, arg := range action.Arguments {
  278. if _, bad := unsafe[arg.Type]; bad {
  279. return fmt.Errorf("unsafe argument type '%s' cannot be used with Shell execution. Use 'exec' instead. See https://docs.olivetin.app/action_execution/shellvsexec.html", arg.Type)
  280. }
  281. }
  282. return nil
  283. }
  284. func mangleInvalidArgumentValues(req *ExecutionRequest) {
  285. for _, arg := range req.Binding.Action.Arguments {
  286. if arg.Type == "datetime" {
  287. mangleInvalidDatetimeValues(req, &arg)
  288. }
  289. mangleCheckboxValues(req, &arg)
  290. }
  291. }
  292. func mangleCheckboxValues(req *ExecutionRequest, arg *config.ActionArgument) {
  293. if arg.Type != "checkbox" {
  294. return
  295. }
  296. log.Infof("Checking checkbox values for argument %s in action %s", arg.Name, req.Binding.Action.Title)
  297. for i, v := range arg.Choices {
  298. choice := &arg.Choices[i]
  299. if req.Arguments[arg.Name] == choice.Title {
  300. log.WithFields(log.Fields{
  301. "arg": arg.Name,
  302. "choice": v,
  303. "oldValue": req.Arguments[arg.Name],
  304. "newValue": choice.Value,
  305. "actionTitle": req.Binding.Action.Title,
  306. }).Infof("Mangled checkbox value")
  307. req.Arguments[arg.Name] = choice.Value
  308. }
  309. }
  310. }
  311. func mangleInvalidDatetimeValues(req *ExecutionRequest, arg *config.ActionArgument) {
  312. value, exists := req.Arguments[arg.Name]
  313. if !exists || value == "" {
  314. return
  315. }
  316. timestamp, err := time.Parse("2006-01-02T15:04", value)
  317. if err == nil {
  318. log.WithFields(log.Fields{
  319. "arg": arg.Name,
  320. "value": value,
  321. "actionTitle": req.Binding.Action.Title,
  322. }).Warnf("Mangled invalid datetime value without seconds to :00 seconds, this issue is commonly caused by Android browsers.")
  323. req.Arguments[arg.Name] = timestamp.Format("2006-01-02T15:04:05")
  324. }
  325. }
  326. // MangleArgumentValue applies mangling transformations to a single argument value.
  327. // This is used by the validation API to ensure the value matches what would be
  328. // used during actual execution.
  329. func MangleArgumentValue(arg *config.ActionArgument, value string, actionTitle string) string {
  330. if arg == nil {
  331. log.Debugf("MangleArgumentValue called with nil arg, returning value unchanged")
  332. return value
  333. }
  334. return mangleArgumentValueByType(arg, value, actionTitle)
  335. }
  336. func mangleArgumentValueByType(arg *config.ActionArgument, value string, actionTitle string) string {
  337. switch arg.Type {
  338. case "file_upload":
  339. return value
  340. case "datetime":
  341. return mangleDatetimeValue(arg, value, actionTitle)
  342. case "checkbox":
  343. return mangleCheckboxValue(arg, value, actionTitle)
  344. default:
  345. return value
  346. }
  347. }
  348. func mangleDatetimeValue(arg *config.ActionArgument, value string, actionTitle string) string {
  349. if arg == nil {
  350. log.Debugf("mangleDatetimeValue called with nil arg, returning value unchanged")
  351. return value
  352. }
  353. if value == "" {
  354. return value
  355. }
  356. timestamp, err := time.Parse("2006-01-02T15:04", value)
  357. if err != nil {
  358. return value
  359. }
  360. log.WithFields(log.Fields{
  361. "arg": arg.Name,
  362. "value": value,
  363. "actionTitle": actionTitle,
  364. }).Warnf("Mangled invalid datetime value without seconds to :00 seconds, this issue is commonly caused by Android browsers.")
  365. return timestamp.Format("2006-01-02T15:04:05")
  366. }
  367. func mangleCheckboxValue(arg *config.ActionArgument, value string, actionTitle string) string {
  368. if arg == nil {
  369. log.Debugf("mangleCheckboxValue called with nil arg, returning value unchanged")
  370. return value
  371. }
  372. for _, choice := range arg.Choices {
  373. if value == choice.Title {
  374. log.WithFields(log.Fields{
  375. "arg": arg.Name,
  376. "oldValue": value,
  377. "newValue": choice.Value,
  378. "actionTitle": actionTitle,
  379. }).Infof("Mangled checkbox value")
  380. return choice.Value
  381. }
  382. }
  383. return value
  384. }