Merge branch 'GHSA-vcv2-q258-wrg7' into develop

Author: nicolargo

docs/aoa/actions.rst

@@ -33,20 +33,39 @@ reached:
 
     [fs]
     warning=70
-    warning_action=echo "{{time}} {{mnt_point}} {{used}}/{{size}}" > /tmp/fs.alert
+    warning_action=python /path/to/fs-warning.py {{mnt_point}} {{used}} {{size}}
 
-A last example would be to create a log file containing the total user disk
+.. note::
+
+    For security reasons, Mustache-rendered values are sanitized: the
+    characters ``&&``, ``|``, ``>`` and ``>>`` are replaced by spaces
+    before execution. This prevents command injection through
+    user-controllable data such as process names, container names or
+    mount points.
+
+    As a consequence, **shell operators (pipes, redirections, command
+    chaining) cannot be used directly in action command lines**. If your
+    action requires pipes, redirections or chained commands, write a
+    shell script and call it from the action instead.
+
+For example, to create a log file containing the total user disk
 space usage for a device and notify by email each time a space trigger
-critical is reached:
+critical is reached, create a shell script ``/etc/glances/actions.d/fs-critical.sh``:
+
+.. code-block:: bash
+
+    #!/bin/bash
+    # Usage: fs-critical.sh <time> <device_name> <percent>
+    echo "$1 $2 $3" > /tmp/fs.alert
+    python /etc/glances/actions.d/fs-critical.py
+
+Then reference it in the configuration file:
 
 .. code-block:: ini
 
     [fs]
     critical=90
-    critical_action_repeat=echo "{{time}} {{device_name}} {{percent}}" > /tmp/fs.alert && python /etc/glances/actions.d/fs-critical.py
-
-.. note::
-    Use && as separator for multiple commands
+    critical_action_repeat=/etc/glances/actions.d/fs-critical.sh {{time}} {{device_name}} {{percent}}
 
 Within ``/etc/glances/actions.d/fs-critical.py``:
 

docs/aoa/containers.rst

@@ -45,7 +45,7 @@ under the ``[containers]`` section:
     containername_cpu_careful=10
     containername_cpu_warning=20
     containername_cpu_critical=30
-    containername_cpu_critical_action=echo {{Image}} {{Id}} {{cpu}} > /tmp/container_{{name}}.alert
+    containername_cpu_critical_action=/etc/glances/actions.d/container-alert.sh {{Image}} {{Id}} {{cpu}} {{name}}
     # By default, Glances only display running containers
     # Set the following key to True to display all containers
     all=False
@@ -54,6 +54,21 @@ under the ``[containers]`` section:
 
 You can use all the variables ({{foo}}) available in the containers plugin.
 
+.. note::
+
+    Shell operators (``&&``, ``|``, ``>``, ``>>``) are **not allowed**
+    directly in action command lines. If your action requires pipes or
+    redirections, write a shell script and call it from the action.
+    For example, create ``/etc/glances/actions.d/container-alert.sh``:
+
+    .. code-block:: bash
+
+        #!/bin/bash
+        # Usage: container-alert.sh <image> <id> <cpu> <name>
+        echo "$1 $2 $3" > "/tmp/container_$4.alert"
+
+    See :ref:`actions` for details.
+
 Filtering (for hide or show) is based on regular expression. Please be sure that your regular
 expression works as expected. You can use an online tool like `regex101`_ in
 order to test your regular expression.

glances/actions.py

@@ -20,6 +20,31 @@
 else:
     chevron_tag = True
 
+# Characters that secure_popen interprets as shell operators.
+# Mustache-rendered values must not contain these to prevent command injection.
+_SHELL_OPERATORS = ('&&', '|', '>>', '>')
+
+
+def _sanitize_mustache_dict(mustache_dict):
+    """Return a copy of mustache_dict with shell operators replaced by spaces.
+
+    This prevents command injection when user-controllable data (process names,
+    container names, mount points, etc.) is rendered into action command lines
+    via Mustache templates.
+    """
+    if not mustache_dict:
+        return mustache_dict
+
+    safe = {}
+    for k, v in mustache_dict.items():
+        if isinstance(v, str):
+            for op in _SHELL_OPERATORS:
+                v = v.replace(op, ' ')
+            safe[k] = v
+        else:
+            safe[k] = v
+    return safe
+
 
 class GlancesActions:
     """This class manage action if an alert is reached."""
@@ -75,7 +100,9 @@ def run(self, stat_name, criticality, commands, repeat, mustache_dict=None):
         for cmd in commands:
             # Replace {{arg}} by the dict one (Thk to {Mustache})
             if chevron_tag:
-                cmd_full = chevron.render(cmd, mustache_dict)
+                # Sanitize mustache values to prevent shell operator injection
+                safe_dict = _sanitize_mustache_dict(mustache_dict)
+                cmd_full = chevron.render(cmd, safe_dict)
             else:
                 cmd_full = cmd
             # Execute the action