Reduced some vuln after SAST scan

2025-10-14 17:56:06 -05:00
parent 5d746027e2
commit 2feeb339f2
12 changed files with 372 additions and 92 deletions
--- a/funguy.py
+++ b/funguy.py
@@ -17,6 +17,11 @@ import toml  # Library for parsing TOML configuration files
 # Importing FunguyConfig class from plugins.config module
 from plugins.config import FunguyConfig

+# Whitelist of allowed plugins to prevent arbitrary code execution
+ALLOWED_PLUGINS = {'ai', 'config', 'cron', 'date', 'fortune', 'help', 'isup', 'karma',
+                   'loadplugin', 'plugins', 'proxy', 'sd_text', 'stable-diffusion',
+                   'xkcd', 'youtube-preview', 'youtube-search'}
+
 class FunguyBot:
    """
    A bot class for managing plugins and handling commands in a Matrix chat environment.
@@ -78,17 +83,22 @@ class FunguyBot:
        """
        Method to load plugins from the specified directory.
        """
-        # Iterating through files in the plugins directory
-        for plugin_file in os.listdir(self.PLUGINS_DIR):
-            if plugin_file.endswith(".py"):  # Checking if file is a Python file
-                plugin_name = os.path.splitext(plugin_file)[0]  # Extracting plugin name
-                try:
-                    # Importing plugin module dynamically
-                    module = importlib.import_module(f"{self.PLUGINS_DIR}.{plugin_name}")
-                    self.PLUGINS[plugin_name] = module  # Storing loaded plugin module
-                    logging.info(f"Loaded plugin: {plugin_name}")  # Logging successful plugin loading
-                except Exception as e:
-                    logging.error(f"Error loading plugin {plugin_name}: {e}")  # Logging error if plugin loading fails
+        # Iterating through whitelisted plugins only
+        for plugin_name in ALLOWED_PLUGINS:
+            plugin_file = os.path.join(self.PLUGINS_DIR, f"{plugin_name}.py")
+
+            # Verify that the plugin file exists
+            if not os.path.isfile(plugin_file):
+                logging.warning(f"Plugin file not found: {plugin_file}, skipping")
+                continue
+
+            try:
+                # Importing plugin module dynamically with validated plugin name
+                module = importlib.import_module(f"{self.PLUGINS_DIR}.{plugin_name}")
+                self.PLUGINS[plugin_name] = module  # Storing loaded plugin module
+                logging.info(f"Loaded plugin: {plugin_name}")  # Logging successful plugin loading
+            except Exception as e:
+                logging.error(f"Error loading plugin {plugin_name}: {e}")  # Logging error if plugin loading fails

    def reload_plugins(self):
        """
@@ -233,3 +243,10 @@ class FunguyBot:
 if __name__ == "__main__":
    bot = FunguyBot()  # Creating instance of FunguyBot
    bot.run()  # Running the bot
+
+    from plugins import cron  # Import your cron plugin
+
+    # After bot starts running, periodically check for cron jobs
+    while True:
+        asyncio.sleep(60)  # Check every minute (adjust as needed)
+        cron.run_cron_jobs(bot)  # Check and execute cron jobs