fix: adhoc execute alert msg

1 month ago · b7362d3f51
parent 6ee3860124
commit b7362d3f51
2 changed files with 13 additions and 2 deletions
--- a/apps/ops/ansible/runner.py
+++ b/apps/ops/ansible/runner.py
@ -40,9 +40,10 @@ class AdHocRunner:
    def check_module(self):
        if self.module not in self.cmd_modules_choices:
            return
-        if self.module_args and self.module_args.split()[0] in settings.SECURITY_COMMAND_BLACKLIST:
+        command = self.module_args
+        if command and set(command.split()).intersection(set(settings.SECURITY_COMMAND_BLACKLIST)):
            raise CommandInBlackListException(
-                "Command is rejected by black list: {}".format(self.module_args.split()[0]))
+                "Command is rejected by black list: {}".format(self.module_args))

    def set_local_connection(self):
        if self.job_module in self.need_local_connection_modules_choices:
--- a/apps/ops/models/job.py
+++ b/apps/ops/models/job.py
@ -481,6 +481,16 @@ class JobExecution(JMSOrgBaseModel):
            for acl in acls:
                if self.match_command_group(acl, asset):
                    break
+        command = self.current_job.args
+        if command and set(command.split()).intersection(set(settings.SECURITY_COMMAND_BLACKLIST)):
+            CommandExecutionAlert({
+                "assets": self.current_job.assets.all(),
+                "input": self.material,
+                "risk_level": RiskLevelChoices.reject,
+                "user": self.creator,
+            }).publish_async()
+            raise CommandInBlackListException(
+                "Command is rejected by black list: {}".format(self.current_job.args))

    def check_danger_keywords(self):
        lines = self.job.playbook.check_dangerous_keywords()