Fix: replace system() with execvp() in SharedLibManager (#2465)

an-tao · web-flow · commit bd7e22d88c60 · 2026-03-10T10:25:28.000+08:00
diff --git a/fix.patch b/fix.patch
@@ -0,0 +1,146 @@
+diff --git a/lib/src/SharedLibManager.cc b/lib/src/SharedLibManager.cc
+index bf67b4f2..7a035a48 100644
+--- a/lib/src/SharedLibManager.cc
++++ b/lib/src/SharedLibManager.cc
+@@ -17,10 +17,49 @@
+ #include <dirent.h>
+ #include <dlfcn.h>
+ #include <fstream>
++#include <sstream>
+ #include <sys/types.h>
++#include <sys/wait.h>
+ #include <trantor/utils/Logger.h>
+ #include <unistd.h>
+ 
++// Safe exec helper: runs a program with explicit argv, no shell involved.
++// Returns the exit status, or -1 on fork/exec failure.
++static int safeExec(const std::vector<std::string> &args)
++{
++    if (args.empty())
++        return -1;
++
++    std::vector<char *> argv;
++    argv.reserve(args.size() + 1);
++    for (auto &a : args)
++        argv.push_back(const_cast<char *>(a.c_str()));
++    argv.push_back(nullptr);
++
++    pid_t pid = fork();
++    if (pid == -1)
++    {
++        perror("fork");
++        return -1;
++    }
++    if (pid == 0)
++    {
++        // Child: replace image with the target program.
++        execvp(argv[0], argv.data());
++        // execvp only returns on error.
++        perror("execvp");
++        _exit(127);
++    }
++    // Parent: wait for child.
++    int status = 0;
++    if (waitpid(pid, &status, 0) == -1)
++    {
++        perror("waitpid");
++        return -1;
++    }
++    return WIFEXITED(status) ? WEXITSTATUS(status) : -1;
++}
++
+ static void forEachFileIn(
+     const std::string &path,
+     const std::function<void(const std::string &, const struct stat &)> &cb)
+@@ -153,20 +192,18 @@ void SharedLibManager::managerLibs()
+                         else
+                         {
+                             // generate source code and compile it.
+-                            std::string cmd = "drogon_ctl create view ";
+-                            if (!outputPath_.empty())
+-                            {
+-                                cmd.append(filename).append(" -o ").append(
+-                                    outputPath_);
+-                            }
+-                            else
+-                            {
+-                                cmd.append(filename).append(" -o ").append(
+-                                    libPath);
+-                            }
++                            const std::string &outDir =
++                                !outputPath_.empty() ? outputPath_ : libPath;
++                            std::vector<std::string> genArgs = {"drogon_ctl",
++                                                                "create",
++                                                                "view",
++                                                                filename,
++                                                                "-o",
++                                                                outDir};
+                             srcFile.append(".cc");
+-                            LOG_TRACE << cmd;
+-                            auto r = system(cmd.c_str());
++                            LOG_TRACE << "drogon_ctl create view " << filename
++                                      << " -o " << outDir;
++                            auto r = safeExec(genArgs);
+                             // TODO: handle r
+                             (void)(r);
+                             dlStat.handle =
+@@ -203,24 +240,45 @@ void *SharedLibManager::compileAndLoadLib(const std::string &sourceFile,
+                                           void *oldHld)
+ {
+     LOG_TRACE << "src:" << sourceFile;
+-    std::string cmd = COMPILER_COMMAND;
+-    cmd.append(" ")
+-        .append(sourceFile)
+-        .append(" ")
+-        .append(COMPILATION_FLAGS)
+-        .append(" ")
+-        .append(INCLUDING_DIRS);
+-    if (std::string(COMPILER_ID).find("Clang") != std::string::npos)
+-        cmd.append(" -shared -fPIC -undefined dynamic_lookup -o ");
+-    else
+-        cmd.append(" -shared -fPIC --no-gnu-unique -o ");
+     auto pos = sourceFile.rfind('.');
+     auto soFile = sourceFile.substr(0, pos);
+     soFile.append(".so");
+-    cmd.append(soFile);
+-    LOG_TRACE << cmd;
+ 
+-    if (system(cmd.c_str()) == 0)
++    // Build argv without invoking a shell so that metacharacters in
++    // sourceFile or soFile cannot be interpreted by /bin/sh.
++    std::vector<std::string> compileArgs;
++    compileArgs.push_back(COMPILER_COMMAND);
++
++    // COMPILATION_FLAGS and INCLUDING_DIRS are baked in at build time from
++    // trusted CMake variables; split them on whitespace into separate tokens.
++    auto splitIntoArgs = [&](const std::string &s) {
++        std::istringstream iss(s);
++        std::string token;
++        while (iss >> token)
++            compileArgs.push_back(token);
++    };
++    compileArgs.push_back(sourceFile);
++    splitIntoArgs(COMPILATION_FLAGS);
++    splitIntoArgs(INCLUDING_DIRS);
++    if (std::string(COMPILER_ID).find("Clang") != std::string::npos)
++    {
++        compileArgs.push_back("-shared");
++        compileArgs.push_back("-fPIC");
++        compileArgs.push_back("-undefined");
++        compileArgs.push_back("dynamic_lookup");
++    }
++    else
++    {
++        compileArgs.push_back("-shared");
++        compileArgs.push_back("-fPIC");
++        compileArgs.push_back("--no-gnu-unique");
++    }
++    compileArgs.push_back("-o");
++    compileArgs.push_back(soFile);
++
++    LOG_TRACE << COMPILER_COMMAND << " " << sourceFile << " ... -o " << soFile;
++
++    if (safeExec(compileArgs) == 0)
+     {
+         LOG_TRACE << "Compiled successfully:" << soFile;
+         return loadLib(soFile, oldHld);
diff --git a/lib/src/SharedLibManager.cc b/lib/src/SharedLibManager.cc
@@ -17,10 +17,49 @@
 #include <dirent.h>
 #include <dlfcn.h>
 #include <fstream>
+#include <sstream>
 #include <sys/types.h>
+#include <sys/wait.h>
 #include <trantor/utils/Logger.h>
 #include <unistd.h>
 
+// Safe exec helper: runs a program with explicit argv, no shell involved.
+// Returns the exit status, or -1 on fork/exec failure.
+static int safeExec(const std::vector<std::string> &args)
+{
+    if (args.empty())
+        return -1;
+
+    std::vector<char *> argv;
+    argv.reserve(args.size() + 1);
+    for (auto &a : args)
+        argv.push_back(const_cast<char *>(a.c_str()));
+    argv.push_back(nullptr);
+
+    pid_t pid = fork();
+    if (pid == -1)
+    {
+        perror("fork");
+        return -1;
+    }
+    if (pid == 0)
+    {
+        // Child: replace image with the target program.
+        execvp(argv[0], argv.data());
+        // execvp only returns on error.
+        perror("execvp");
+        _exit(127);
+    }
+    // Parent: wait for child.
+    int status = 0;
+    if (waitpid(pid, &status, 0) == -1)
+    {
+        perror("waitpid");
+        return -1;
+    }
+    return WIFEXITED(status) ? WEXITSTATUS(status) : -1;
+}
+
 static void forEachFileIn(
     const std::string &path,
     const std::function<void(const std::string &, const struct stat &)> &cb)
@@ -153,20 +192,18 @@ void SharedLibManager::managerLibs()
                         else
                         {
                             // generate source code and compile it.
-                            std::string cmd = "drogon_ctl create view ";
-                            if (!outputPath_.empty())
-                            {
-                                cmd.append(filename).append(" -o ").append(
-                                    outputPath_);
-                            }
-                            else
-                            {
-                                cmd.append(filename).append(" -o ").append(
-                                    libPath);
-                            }
+                            const std::string &outDir =
+                                !outputPath_.empty() ? outputPath_ : libPath;
+                            std::vector<std::string> genArgs = {"drogon_ctl",
+                                                                "create",
+                                                                "view",
+                                                                filename,
+                                                                "-o",
+                                                                outDir};
                             srcFile.append(".cc");
-                            LOG_TRACE << cmd;
-                            auto r = system(cmd.c_str());
+                            LOG_TRACE << "drogon_ctl create view " << filename
+                                      << " -o " << outDir;
+                            auto r = safeExec(genArgs);
                             // TODO: handle r
                             (void)(r);
                             dlStat.handle =
@@ -203,24 +240,45 @@ void *SharedLibManager::compileAndLoadLib(const std::string &sourceFile,
                                           void *oldHld)
 {
     LOG_TRACE << "src:" << sourceFile;
-    std::string cmd = COMPILER_COMMAND;
-    cmd.append(" ")
-        .append(sourceFile)
-        .append(" ")
-        .append(COMPILATION_FLAGS)
-        .append(" ")
-        .append(INCLUDING_DIRS);
-    if (std::string(COMPILER_ID).find("Clang") != std::string::npos)
-        cmd.append(" -shared -fPIC -undefined dynamic_lookup -o ");
-    else
-        cmd.append(" -shared -fPIC --no-gnu-unique -o ");
     auto pos = sourceFile.rfind('.');
     auto soFile = sourceFile.substr(0, pos);
     soFile.append(".so");
-    cmd.append(soFile);
-    LOG_TRACE << cmd;
 
-    if (system(cmd.c_str()) == 0)
+    // Build argv without invoking a shell so that metacharacters in
+    // sourceFile or soFile cannot be interpreted by /bin/sh.
+    std::vector<std::string> compileArgs;
+    compileArgs.push_back(COMPILER_COMMAND);
+
+    // COMPILATION_FLAGS and INCLUDING_DIRS are baked in at build time from
+    // trusted CMake variables; split them on whitespace into separate tokens.
+    auto splitIntoArgs = [&](const std::string &s) {
+        std::istringstream iss(s);
+        std::string token;
+        while (iss >> token)
+            compileArgs.push_back(token);
+    };
+    compileArgs.push_back(sourceFile);
+    splitIntoArgs(COMPILATION_FLAGS);
+    splitIntoArgs(INCLUDING_DIRS);
+    if (std::string(COMPILER_ID).find("Clang") != std::string::npos)
+    {
+        compileArgs.push_back("-shared");
+        compileArgs.push_back("-fPIC");
+        compileArgs.push_back("-undefined");
+        compileArgs.push_back("dynamic_lookup");
+    }
+    else
+    {
+        compileArgs.push_back("-shared");
+        compileArgs.push_back("-fPIC");
+        compileArgs.push_back("--no-gnu-unique");
+    }
+    compileArgs.push_back("-o");
+    compileArgs.push_back(soFile);
+
+    LOG_TRACE << COMPILER_COMMAND << " " << sourceFile << " ... -o " << soFile;
+
+    if (safeExec(compileArgs) == 0)
     {
         LOG_TRACE << "Compiled successfully:" << soFile;
         return loadLib(soFile, oldHld);
