zfsafe/tools/PsqlTool.py

import pexpect
import shlex
from tools.ToolBase import ToolBase

class PsqlTool(ToolBase):
    def validate_instruction(self, instruction):
        #指令过滤
        timeout = 60
        return instruction,timeout

    def analyze_result(self, result,instruction,stderr,stdout):
        #指令结果分析
        return result

    def do_worker_pexpect(self,str_instruction,timeout,ext_params):
        try:
            safe_command = shlex.quote(str_instruction)
            cmd = f"bash -c {safe_command}"
            exc_do = pexpect.spawn(cmd,timeout=timeout,encoding='utf-8')
            index = exc_do.expect([
                pexpect.TIMEOUT,
                pexpect.EOF,
                'Password for user postgres:',
                '用户 postgres 的口令：'
            ])
            #strout = exc_do.before.decode('utf-8', errors='replace')
            strout = exc_do.before
            if index == 0 or index ==1:
                return strout
            elif index ==2 or index==3:
                strout += '用户 postgres 的口令：'
                exc_do.sendline('') #输入空密码后不知道会有多少种情况，密码不对，密码对
                index = exc_do.expect([pexpect.TIMEOUT,pexpect.EOF])
                print(index)
                strout += exc_do.before
                return strout
        except Exception as e:
            return f"执行错误: {str(e)}"

    def execute_instruction(self, instruction_old):
        '''
        执行指令：验证合法性 -> 执行 -> 分析结果
        *****如果指令要做验证，只做白名单，所有逻辑不是全放开就是白名单*****
        :param instruction_old:
        :return:
            bool:true-正常返回给大模型处理下一步，false-结果不返回给大模型,2--需要人工确认的指令
            str:执行的指令
            str:执行指令的结果-解析过滤后的结果--也是提交给LLM的结果
            str:执行指令的结果-原结果
            object:补充参数-封装一个对象： 0-不知是否攻击成功，1-明确存在漏洞，2-明确不存在漏洞
        '''

        ext_params = self.create_extparams()
        # 第一步：验证指令合法性
        instruction,timeout = self.validate_instruction(instruction_old)
        if not instruction:
            ext_params.is_user= True
            return False,instruction_old,"该指令暂不执行！由用户确认是否要兼容支持","",ext_params      #未
        #过滤修改后的指令是否需要判重？同样指令再执行结果一致？待定---#？

        # 第二步：执行指令
        #output = self.do_worker_script(instruction, timeout, ext_params)
        output = self.do_worker_pexpect(instruction,timeout,ext_params)

        # 第三步：分析执行结果
        if isinstance(output,bytes):#若是bytes则转成str
            output = output.decode('utf-8', errors='ignore')

        analysis = self.analyze_result(output,instruction,"","")

        if not analysis:    #analysis为“” 不提交LLM
            ext_params.is_user = True
            return False,instruction,analysis,output,ext_params
        return True,instruction, analysis,output,ext_params