From c153da98426f72d2f9754bf6fd106f6aab683c03 Mon Sep 17 00:00:00 2001 From: Aidaho Date: Thu, 10 Apr 2025 15:45:14 +0300 Subject: [PATCH] v8.1.7: Update service action routing and validation logic Revised the action route to use a restricted list of allowed actions via the `any` converter. Improved service name validation by refining the regex pattern and adjusted logging message formatting for consistency. --- app/modules/roxywi/roxy.py | 4 ++-- app/routes/admin/routes.py | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/app/modules/roxywi/roxy.py b/app/modules/roxywi/roxy.py index 80161ca6..f0c3e9e2 100644 --- a/app/modules/roxywi/roxy.py +++ b/app/modules/roxywi/roxy.py @@ -100,7 +100,7 @@ def action_service(action: str, service: str) -> str: 'stop': 'disable --now', 'restart': 'restart', } - if not re.match(r'^[a-zA-Z0-9\.\-]+$', service): + if not re.match(r'^[a-zA-Z0-9._-]+$', service): return f"Invalid service name: {service}. Only alphanumeric characters, dots, and hyphens are allowed." cmd = f"sudo systemctl {actions[action]} {service}" if not roxy_sql.get_user().Status: @@ -109,7 +109,7 @@ def action_service(action: str, service: str) -> str: if is_in_docker: cmd = f"sudo supervisorctl {action} {service}" os.system(cmd) - roxywi_common.logging('Roxy-WI server', f' The service {service} has been {action}ed', roxywi=1, login=1) + roxywi_common.logging('Roxy-WI server', f'The service {service} has been {action}ed', roxywi=1, login=1) return 'ok' diff --git a/app/routes/admin/routes.py b/app/routes/admin/routes.py index 23e7afc4..2a6a8b40 100644 --- a/app/routes/admin/routes.py +++ b/app/routes/admin/routes.py @@ -85,11 +85,9 @@ def update_tools(service): return f'error: {e}' -@bp.route('/tools/action//') +@bp.route('/tools/action//') def action_tools(service, action): roxywi_auth.page_for_admin() - if action not in ('start', 'stop', 'restart'): - return 'error: wrong action' return roxy.action_service(action, service)