Merge pull request #1433 from Cadlaxa/fixes

stakira · web-flow · commit 98dcdd3236b7 · 2025-03-30T17:26:01.000-07:00
Fix Command Injection Vulnerability in Classic Renderer
diff --git a/OpenUtau.Core/Classic/ExeWavtool.cs b/OpenUtau.Core/Classic/ExeWavtool.cs
@@ -1,4 +1,4 @@
-﻿using System.Collections.Generic;
+using System.Collections.Generic;
 using System.IO;
 using System.Runtime.InteropServices;
 using System.Text;
@@ -8,7 +8,7 @@
 using OpenUtau.Core.Render;
 using OpenUtau.Core.Util;
 using Serilog;
-
+using System.Text.RegularExpressions;
 using System;
 
 namespace OpenUtau.Classic {
@@ -146,7 +146,8 @@ void WriteItem(StreamWriter writer, ResamplerItem item, int index, int total) {
             string resampPath = OS.IsLinux() ? ResolveResamplerExePathLinux(item.resampler.FilePath) : item.resampler.FilePath;
             writer.WriteLine($"@set resamp={ConvertIfNeeded(resampPath)}");
             writer.WriteLine($"@set params={item.volume} {item.modulation} !{item.tempo:G999} {Base64.Base64EncodeInt12(item.pitches)}");
-            writer.WriteLine($"@set flag=\"{item.GetFlagsString()}\"");
+            // fixed the commandline vulnerabilities that also exists in og utau
+            writer.WriteLine($"@set flag=\"{EscapeFlags(item.GetFlagsString())}\"");
             writer.WriteLine($"@set env={GetEnvelope(item)}");
             writer.WriteLine($"@set stp={item.skipOver}");
             writer.WriteLine($"@set vel={item.velocity}");
@@ -165,6 +166,30 @@ string MakeProgressBar(int index, int total) {
             return $"{new string('#', fill)}{new string('-', kWidth - fill)}({index}/{total})";
         }
 
+        private static string EscapeFlags(string flag) {
+            // Remove special characters
+            flag = Regex.Replace(flag, @"[&/\\|<>\""'!:#\n\t].", "");
+
+            // Remove specific file extensions (case-insensitive)
+            string[] extensions = {
+                ".exe", ".py", ".app", ".bat", ".cmd", ".sh", ".vbs", ".js", ".wsf", ".msi", ".com", ".pif",
+                ".scr", ".hta", ".cpl", ".jar", ".ps1", ".psm1", ".msh", ".msh1", ".msh2", ".mshxml", ".msh1xml", ".msh2xml"
+            };
+            foreach (var ext in extensions) {
+                if (flag.EndsWith(ext, StringComparison.OrdinalIgnoreCase)) {
+                    flag = flag.Substring(0, flag.Length - ext.Length);
+                }
+            }
+            // Remove "https://" case-insensitively
+            if (flag.StartsWith("https://", StringComparison.OrdinalIgnoreCase)) {
+                flag = flag.Substring(8);
+            }
+            else if (flag.StartsWith("http://", StringComparison.OrdinalIgnoreCase)) {
+                flag = flag.Substring(7);
+            }
+            return flag;
+        }
+
         string GetEnvelope(ResamplerItem item) {
             var env = item.phone.envelope;
             sb.Clear()
