diff --git a/src/Agent.Sdk/Knob/AgentKnobs.cs b/src/Agent.Sdk/Knob/AgentKnobs.cs index 6575b723b2..e6cffaf574 100644 --- a/src/Agent.Sdk/Knob/AgentKnobs.cs +++ b/src/Agent.Sdk/Knob/AgentKnobs.cs @@ -439,13 +439,6 @@ public class AgentKnobs new EnvironmentKnobSource("AGENT_USE_NODE"), new BuiltInDefaultKnobSource(string.Empty)); - public static readonly Knob ProcessHandlerSecureArguments = new Knob( - nameof(ProcessHandlerSecureArguments), - "Enables passing arguments for process handler secure way", - new RuntimeKnobSource("AGENT_PH_ENABLE_SECURE_ARGUMENTS"), - new EnvironmentKnobSource("AGENT_PH_ENABLE_SECURE_ARGUMENTS"), - new BuiltInDefaultKnobSource("true")); - public static readonly Knob ProcessHandlerTelemetry = new Knob( nameof(ProcessHandlerTelemetry), "Enables publishing telemetry about processing of arguments for Process Handler", diff --git a/src/Agent.Worker/Handlers/ProcessHandler.cs b/src/Agent.Worker/Handlers/ProcessHandler.cs index 07e4f0e411..09b03a2896 100644 --- a/src/Agent.Worker/Handlers/ProcessHandler.cs +++ b/src/Agent.Worker/Handlers/ProcessHandler.cs @@ -63,6 +63,14 @@ public async Task RunAsync() Trace.Info($"Command is rooted: {isCommandRooted}"); + var disableInlineExecution = StringUtil.ConvertToBoolean(Data.DisableInlineExecution); + ExecutionContext.Debug($"Disable inline execution: '{disableInlineExecution}'"); + + if (disableInlineExecution && !File.Exists(command)) + { + throw new Exception(StringUtil.Loc("FileNotFound", command)); + } + // Determine the working directory. string workingDirectory; if (!string.IsNullOrEmpty(Data.WorkingDirectory)) @@ -117,9 +125,6 @@ public async Task RunAsync() _modifyEnvironment = StringUtil.ConvertToBoolean(Data.ModifyEnvironment); ExecutionContext.Debug($"Modify environment: '{_modifyEnvironment}'"); - var enableSecureArguments = AgentKnobs.ProcessHandlerSecureArguments.GetValue(ExecutionContext).AsBoolean(); - ExecutionContext.Debug($"Enable secure arguments: '{enableSecureArguments}'"); - // Resolve cmd.exe. string cmdExe = System.Environment.GetEnvironmentVariable("ComSpec"); if (string.IsNullOrEmpty(cmdExe)) @@ -127,23 +132,25 @@ public async Task RunAsync() cmdExe = "cmd.exe"; } - if (enableSecureArguments) + string cmdExeArgs; + // In this case we don't allow execution of built-in commands. + if (disableInlineExecution) { GenerateScriptFile(cmdExe, command, arguments); + cmdExeArgs = $"/c \"{_generatedScriptPath}\""; } - - // Format the input to be invoked from cmd.exe to enable built-in shell commands. For example, RMDIR. - var cmdExeArgs = enableSecureArguments - ? $"/c \"{_generatedScriptPath}" - : $"/c \"{command} {arguments}"; - - cmdExeArgs += _modifyEnvironment && !enableSecureArguments + else + { + // Format the input to be invoked from cmd.exe to enable built-in shell commands. For example, RMDIR. + cmdExeArgs = $"/c \"{command} {arguments}"; + cmdExeArgs += _modifyEnvironment ? $" && echo {OutputDelimiter} && set \"" : "\""; + } // Invoke the process. ExecutionContext.Debug($"{cmdExe} {cmdExeArgs}"); - ExecutionContext.Command($"{command} {arguments}"); + ExecutionContext.Command($"{cmdExeArgs}"); using (var processInvoker = HostContext.CreateService()) { processInvoker.OutputDataReceived += OnOutputDataReceived; diff --git a/src/Agent.Worker/TaskManager.cs b/src/Agent.Worker/TaskManager.cs index c8739a9a35..c76e0586cd 100644 --- a/src/Agent.Worker/TaskManager.cs +++ b/src/Agent.Worker/TaskManager.cs @@ -815,6 +815,18 @@ public string WorkingDirectory SetInput(nameof(WorkingDirectory), value); } } + + public string DisableInlineExecution + { + get + { + return GetInput(nameof(DisableInlineExecution)); + } + set + { + SetInput(nameof(DisableInlineExecution), value); + } + } } public sealed class AgentPluginHandlerData : HandlerData