Fix: Plugin System Sandbox Bypass and git clone URL Bypass. Updated versioning as well. (#40)

Author: ParzivalHack

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = pyspector
-version = 0.1.6
+version = 0.1.7
 
 [options]
 package_dir=

src/pyspector/_rust_core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "_rust_core"
-version = "0.1.6"
+version = "0.1.7"
 edition = "2021"
 
 [lib]

src/pyspector/cli.py

@@ -14,6 +14,7 @@
 from .triage import run_triage_tui
 from .plugin_system import get_plugin_manager, PluginSecurity
 import requests
+from urllib.parse import urlparse
 
 # Import the Rust core from its new location
 try:
@@ -268,7 +269,7 @@ def cli():
              __/>                       / \                                                                   
 """
     click.echo(click.style(banner))
-    click.echo("Version: 0.1.6\n")
+    click.echo("Version: 0.1.7\n")
     click.echo("Made with <3 by github.com/ParzivalHack\n")
     note = get_startup_note()
     click.echo(click.style(f"{note}\n", fg="bright_black", italic=True))
@@ -362,6 +363,16 @@ def run_scan_command(
 
         # Repo scan
         if params["repo_url"]:
+            try:
+                _parsed = urlparse(params["repo_url"])
+                _hostname = _parsed.hostname or ""
+            except Exception:
+                _hostname = ""
+
+            if _hostname not in ("github.com", "gitlab.com"):
+                raise click.BadParameter(
+                    "URL must be a public GitHub or GitLab repository. "
+            )
             with tempfile.TemporaryDirectory() as temp_dir:
                 click.echo(f"[*] Cloning '{params['repo_url']}' into temporary directory...")
                 subprocess.run(
@@ -435,8 +446,16 @@ def run_scan_command(
 
     if repo_url:
         # Handle Git URL cloning
-        if not ("github.com" in repo_url or "gitlab.com" in repo_url):
-            raise click.BadParameter("URL must be a public GitHub or GitLab repository.")
+        try:
+            _parsed = urlparse(repo_url)
+            _hostname = _parsed.hostname or ""
+        except Exception:
+            _hostname = ""
+
+        if _hostname not in ("github.com", "gitlab.com"):
+            raise click.BadParameter(
+                "URL must be a public GitHub or GitLab repository. "
+            )
 
         with tempfile.TemporaryDirectory() as temp_dir:
             click.echo(f"[*] Cloning '{repo_url}' into temporary directory...")

src/pyspector/plugin_system.py

@@ -143,6 +143,8 @@ def validate_plugin_code(plugin_path: Path) -> tuple[bool, str]:
             "exec",
             "compile",
             "__import__",
+            "vars",
+            "getattr", 
             "os.system",
             "os.popen",
             "subprocess.Popen",
@@ -184,6 +186,10 @@ def resolve_name(node: ast.AST) -> Optional[str]:
                     attrs.append(base)
                     attrs.reverse()
                     return ".".join(attrs)
+            if isinstance(node, ast.Call):
+                inner = resolve_name(node.func)
+                if inner:
+                    return inner
             return None
 
         class Analyzer(ast.NodeVisitor):