Validate "Command options" #222

Author: ctippler

doc/commandsValidator.md

@@ -15,3 +15,20 @@ If you want that all commands are available, change the $strategy to "all". Then
             $whiteList: ["router:match","valid:command"]
             $blackList: ["process-manager:maintenance","do-no-execute:command"]
 ```
+
+### Validating commands / command options before they get saved
+
+In the pimcore admin you can set the "Commands options". By default there is no validation for the command options (the whole command is passed through "https://www.php.net/escapeshellcmd").
+If you need certain logic to validate the command options you could implement public methods in your command, which validates the options:
+
+E.g:
+
+```php
+
+    public function validatedCommandOptions(string $commandOptions, \Elements\Bundle\ProcessManagerBundle\Model\Configuration $configuration): void
+    {
+    #    throw new \Exception('invalid command options');
+    }
+```
+
+Or you overwrite the "validateCommandConfiguration" method of the Elements\Bundle\ProcessManagerBundle\Service\CommandsValidator

src/Helper.php

@@ -76,6 +76,7 @@ public static function executeJob(string $configId, array $callbackSettings = []
             $item = $monitoringItem->save();
 
             $command = $executor->getCommand($callbackSettings, $monitoringItem);
+            $command = escapeshellcmd($command); //prevent os command injection
 
             putenv(ElementsProcessManagerBundle::MONITORING_ITEM_ENV_VAR . '=' . $item->getId());
 

src/Service/CommandsValidator.php

@@ -9,7 +9,6 @@
 
 use Elements\Bundle\ProcessManagerBundle\ExecutionTrait;
 use Elements\Bundle\ProcessManagerBundle\Model\Configuration;
-use Exception;
 use Pimcore\Console\Application;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Command\LazyCommand;
@@ -42,19 +41,17 @@ public function __construct(string $strategy = 'default', array $whiteList = [],
         $this->setBlackList($blackList);
     }
 
-    public function validateCommandConfiguration(LazyCommand | Command $command, Configuration $configuration): void
+    public function validateCommandConfiguration(LazyCommand|Command $command, Configuration $configuration): void
     {
 
         $settings = $configuration->getExecutorSettingsAsArray();
         $values = $settings['values'];
 
         $commandOptions = $values['commandOptions'] ?? '';
 
-        //Todo: check if command options are valid
-        //and throw an error if they are not valid
-
-        //        throw new Exception('Command options are not valid');
-
+        if (is_callable([$command, 'validatedCommandOptions'])) {
+            $command->validatedCommandOptions($commandOptions, $configuration);
+        }
     }
 
     /**
@@ -116,7 +113,7 @@ protected function getCommandsDefault(array $commands): array
     /**
      * @return array<string>
      */
-    protected function classUsesTraits(LazyCommand | Command $class, bool $autoload = true): array
+    protected function classUsesTraits(LazyCommand|Command $class, bool $autoload = true): array
     {
         if ($class instanceof LazyCommand) {
             $class = $class->getCommand();