From 3d58b6508ce9837ad553efc1147c512e04be0f05 Mon Sep 17 00:00:00 2001 From: PeanutSplash Date: Fri, 6 Mar 2026 22:23:33 +0800 Subject: [PATCH] fix(linux): validate SUDO_USER and use prefix matching for interpreters - Validate SUDO_USER via pwd.getpwnam() to prevent path injection - Use prefix matching for interpreter detection to cover python3.10+ etc. Co-Authored-By: Claude Opus 4.6 --- config.py | 10 +++++++++- find_all_keys_linux.py | 6 +++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config.py b/config.py index c4e5d09..b72b4bc 100644 --- a/config.py +++ b/config.py @@ -116,7 +116,15 @@ def _auto_detect_db_dir_linux(): # sudo 运行时,~ 展开为 /root;回退到实际用户的 home sudo_user = os.environ.get("SUDO_USER") if sudo_user: - sudo_home = os.path.expanduser(f"~{sudo_user}") + # 验证 SUDO_USER 是合法系统用户,防止路径注入 + import pwd + try: + pw = pwd.getpwnam(sudo_user) + sudo_home = pw.pw_dir + except KeyError: + sudo_home = None + if not sudo_home: + sudo_home = os.path.expanduser(f"~{sudo_user}") fallback = os.path.join(sudo_home, "Documents", "xwechat_files") if fallback not in search_roots: search_roots.append(fallback) diff --git a/find_all_keys_linux.py b/find_all_keys_linux.py index 92b0e65..6e0dce8 100644 --- a/find_all_keys_linux.py +++ b/find_all_keys_linux.py @@ -28,7 +28,7 @@ def _safe_readlink(path): return "" -_INTERPRETERS = {"python", "python3", "bash", "sh", "zsh", "node", "perl", "ruby"} +_INTERPRETER_PREFIXES = ("python", "bash", "sh", "zsh", "node", "perl", "ruby") def _is_wechat_process(pid): @@ -44,8 +44,8 @@ def _is_wechat_process(pid): comm = f.read().strip() exe_path = _safe_readlink(f"/proc/{pid}/exe") exe_name = os.path.basename(exe_path) - # 排除脚本解释器进程(避免匹配 python3 wechat-decrypt 等) - if exe_name.lower() in _INTERPRETERS: + # 排除脚本解释器进程(避免匹配 python3.11 wechat-decrypt 等) + if any(exe_name.lower().startswith(p) for p in _INTERPRETER_PREFIXES): return False haystack = f"{comm} {exe_name}".lower() return "wechat" in haystack or "weixin" in haystack