Fix Shell injection issue (#4)

check sound file existance added quote the file path in a decorator pattern manner associated docstrings added
openscilab · Jun 7, 2023 · b92cd52 · b92cd52
1 parent e4e72c1
commit b92cd52
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -136,3 +136,4 @@ dmypy.json
 
 # Cython debug symbols
 cython_debug/
+/tests
diff --git a/nava/functions.py b/nava/functions.py
@@ -2,8 +2,10 @@
 """Nava functions."""
 import sys
 import subprocess
+import os 
+import shlex
 
-from .params import OVERVIEW, SOUND_ERROR_MESSAGE
+from .params import OVERVIEW, SOUND_ERROR_MESSAGE, SOUND_FILE_DOES_NOT_EXIST, INVALID_INPUT_FOR_SOUND_FILE_PATH
 from .errors import NavaBaseError
 
 
@@ -70,13 +72,45 @@ def play(sound_path):
     :type sound_path: str
     :return: None
     """
+    if not(isinstance(sound_path, str)):
+        raise NavaBaseError(INVALID_INPUT_FOR_SOUND_FILE_PATH)
+
+    # check sound file existance 
+    if not(os.path.isfile(sound_path)):
+        raise NavaBaseError(SOUND_FILE_DOES_NOT_EXIST)
+
     try:
         sys_platform = sys.platform
         if sys_platform == "win32":
             __play_win(sound_path)
-        elif sys_platform == "darwin":
-            __play_mac(sound_path)
         else:
-            __play_linux(sound_path)
+            # quote the file path argument that you're passing to the command line in a decorator pattern manner 
+            quoted_sound_path = QuoterDecorator(sound_path).quote()
+            if(sys_platform == "darwin"):
+                __play_mac(quoted_sound_path)
+            else:
+                __play_linux(quoted_sound_path)
     except Exception:
         raise NavaBaseError(SOUND_ERROR_MESSAGE)
+
+
+class QuoterDecorator:
+    """decorate the input to get quoted."""
+
+    def __init__(self, shell_string):
+        """
+        Initialize the QuoterDecorator instance.
+
+        :param shell_string: given shell_string
+        :type shell_string: str
+        :return: an instance of the QuoterDecorator class
+        """
+        self._shell_string = shell_string
+
+    def quote(self):
+        """
+        Quote the given shell_string.
+
+        :return: str
+        """
+        return shlex.quote(self._shell_string)
diff --git a/nava/params.py b/nava/params.py
@@ -9,3 +9,5 @@
 """
 
 SOUND_ERROR_MESSAGE = "Sound can not play due to some issues."
+SOUND_FILE_DOES_NOT_EXIST = "Given sound file doesn't exist."
+INVALID_INPUT_FOR_SOUND_FILE_PATH = "Sound file's path should be a string."