Reduced some vuln after SAST scan

2025-10-14 17:56:06 -05:00
parent 5d746027e2
commit 2feeb339f2
12 changed files with 372 additions and 92 deletions
--- a/plugins/loadplugin.py
+++ b/plugins/loadplugin.py
@@ -11,6 +11,11 @@ import sys  # Import sys module for unloading plugins
 # Dictionary to store loaded plugins
 PLUGINS = {}

+# Whitelist of allowed plugins to prevent arbitrary code execution
+ALLOWED_PLUGINS = {'ai', 'config', 'cron', 'date', 'fortune', 'help', 'isup', 'karma',
+                   'loadplugin', 'plugins', 'proxy', 'sd_text', 'stable-diffusion',
+                   'xkcd', 'youtube-preview', 'youtube-search'}
+
 async def load_plugin(plugin_name):
    """
    Asynchronously loads a plugin.
@@ -21,9 +26,46 @@ async def load_plugin(plugin_name):
    Returns:
        bool: True if the plugin is loaded successfully, False otherwise.
    """
+    # Validate plugin name against whitelist
+    if plugin_name not in ALLOWED_PLUGINS:
+        logging.error(f"Plugin '{plugin_name}' is not whitelisted")
+        return False
+
+    # Verify that the plugin file exists in the plugins directory
+    plugin_path = os.path.join("plugins", f"{plugin_name}.py")
+    if not os.path.isfile(plugin_path):
+        logging.error(f"Plugin file not found: {plugin_path}")
+        return False
+
    try:
-        # Import the plugin module
-        module = importlib.import_module(f"plugins.{plugin_name}")
+        # Create a mapping of whitelisted plugins to their module paths
+        plugin_modules = {
+            'ai': 'plugins.ai',
+            'config': 'plugins.config',
+            'cron': 'plugins.cron',
+            'date': 'plugins.date',
+            'fortune': 'plugins.fortune',
+            'help': 'plugins.help',
+            'isup': 'plugins.isup',
+            'karma': 'plugins.karma',
+            'loadplugin': 'plugins.loadplugin',
+            'plugins': 'plugins.plugins',
+            'proxy': 'plugins.proxy',
+            'sd_text': 'plugins.sd_text',
+            'stable-diffusion': 'plugins.stable-diffusion',
+            'xkcd': 'plugins.xkcd',
+            'youtube-preview': 'plugins.youtube-preview',
+            'youtube-search': 'plugins.youtube-search',
+        }
+
+        # Get the module path from the mapping
+        module_path = plugin_modules.get(plugin_name)
+        if not module_path:
+            logging.error(f"Plugin '{plugin_name}' not found in plugin mapping")
+            return False
+
+        # Import the plugin module using the validated module path
+        module = importlib.import_module(module_path)
        # Add the plugin module to the PLUGINS dictionary
        PLUGINS[plugin_name] = module
        logging.info(f"Loaded plugin: {plugin_name}")
@@ -112,4 +154,3 @@ async def handle_command(room, message, bot, prefix, config):
            else:
                # Send unauthorized message if the sender is not the admin
                await bot.api.send_text_message(room.room_id, "You are not authorized to unload plugins.")
-