L cvddlZddlZddlZddlZddlZddlmZddlmZ ddl m Z ddl m Z ddlmZddlmZmZe ZdZd d Zd d Zejfd ZdS)N)Corenative)EventHookLogger) EventHook)db)run snake_casectjrgStjtj|k}t |S)N)rdeferredrselectwhereeventlist)rhookss R/opt/imunify360/venv/lib/python3.11/site-packages/defence360agent/hooks/execute.py get_hooksrsB {     $ $Y_%= > >E ;;FcXtj|s"td||rBtj|tjs"td|nAtj|tjs"td|tj|} tj |}n5#t$r(}td||d}~wwxYw|j tj zr"td|tj |}|r|dkr tj |}n5#t$r(}td||d}~wwxYw|j tj zr;|j tjzs)td ||dSdSdSdS) a'Raise ValueError if path is not a safe hook file. The original check rejected any path under /tmp, /var/tmp, /dev/shm on the grounds that those dirs are world-writable. That blanket- by-prefix rule was too coarse: pytest's tmp_path lives under /tmp/pytest-of-/... and the agent's own integration fixtures legitimately put hook files there. The real threats are (a) an attacker-owned file (DB row points at a path the attacker controls) and (b) a hook whose immediate parent is world-writable so the file can be swapped between this check and the exec. The required permission bit differs between branches: subprocess hooks are exec'd by the kernel (needs X_OK), but native hooks are loaded via importlib's open()+exec_module path which only needs R_OK. A standard Python file in mode 0o644 is loadable but not executable, so requiring +x for native hooks would silently break the typical native-hook deployment (the `hook add-native` RPC has never required or documented an executable bit). z-Hook path does not exist or is not a file: {}zHook path is not readable: {}zHook path is not executable: {}zHook path stat failed: {}: {}NzHook path is world-writable: {}/zHook parent stat failed: {}: {}z=Hook path has world-writable parent without sticky bit {}: {})ospathisfile ValueErrorformataccessR_OKX_OKrealpathstatOSErrorst_modeS_IWOTHdirnameS_ISVTX)rrrealstexcparentpsts r_validate_hook_pathr+s;( 7>>$    ; B B4 H H   Myrw'' K<CCDIIJJ J Kyrw'' M>EEdKKLL L 7  D ! !DL WT]] LLL8??cJJKKKL zDL I:AA$GGHHH W__T " "F &C-- '&//CC   188EE   K$, & t|1K  &.. --    s0'C<< D.#D))D.F$$ G.#GGcK tj}|dt||d{V|rt j||d\}}nct j|}tj |}t|gd||d{V\}}}n(#t$r}dt|}}Yd}~nd}~wwxYw||fS)N)rNF)shellinputcwd)asyncioget_event_looprun_in_executorr+ native_hooks execute_hookjsondumpsencoderrr$r Exceptionrepr) rdatarloop exit_codeerrr/_es rr4r4Ts''%''""4)sB6B;; C CC c.K|d}t|}t|j}|sdSt |j|j5}|rt |jjdz}tj d|d|}tj ||| tj||j|d<|j|j|d}|D]} || j| j5} | t+| j|| jd{V\} } | | | dddn #1swxYwY ddddS#1swxYwYdS) NDUMPr>zw+z.json)modeprefixsuffixdir tmp_filename)rsubtypeparamsr)getdictrrevent_hook_loggerrGr __class____name__tempfileNamedTemporaryFiler5dumpflushrfsyncfilenonamerrbeginr4finish) rtempdirrPrHr event_loggerrCtmpr:hook hook_loggerr<r=s r execute_hooksr\ms? 99V  D %[[F ek " "E  5; 6 63,  . 899C?F-&gC IdC IIKKK HSZZ\\ " " "%(XF> "[}    3 3Ddi <<< 3 !!###'3ItDK((("""""" 3""9c222  3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3#333333333333333333s8B;F AE0$ F 0E4 4F 7E4 8F  FF)F)r0r5rr rN defence360agent.contracts.configrdefence360agent.hooksrr3 defence360agent.internals.loggerr defence360agent.model.event_hookrdefence360agent.model.instancerdefence360agent.utilsr r rKrr+r4TMPDIRr\rrres 111111888888<<<<<<666666------11111111#O%%7777t2(,{333333r