The code is already posted here. See the code in execActuator.py in the onMessage function.
There are two for arg loops. The first one strips out the arguments that include ;, |, or \\ from the command that is loaded from the .ini file. The second one strips out the same types of arguments that are passed as part of the MQTT message.
The way it works is sensorReporter loads a .ini file and dynamically creates senors and/or actuators based on the contents of the .ini file. For the execActuator that includes a command to execute. This actuator is configured to listen for MQTT messages on a certain topic. The contents of the MQTT message is either “NA” (no arguments) or it includes the command line arguments to pass to the command in the .ini file.
If you try to use ;, |, or \\ in either the .ini file or the MQTT message you will likely end up with a command that doesn’t run.
I’ve not spent a lot of time analyzing this to make sure there are no other characters or strings that should be excluded and that is the part that is a work in progress. I’m pondering whether sudo and su should be excluded too, but that is already mitigated by not adding the sensorReporter user to sudoers. I probably should include & as well.
An example .ini section for an execActuator is as follows:
[Actuator1]
Class: execActuator.execActuator
Type: Exec
Connection: MQTT
Poll: 0
Command: ./iphoned.sh
CMDTopic: scripts/presence/iphone/cmd
ResultTopic: scripts/presence/iphone/results
iphone.sh is an hping3/arp script for detecting iPhones and newer Androids (arping is not available on the Docker image): see iPhone Presence Detection with hping3 and ARP - #28 by rtvb
In the MQTT, message I pass the IP address and MAC of the phone I want to detect separated by a space.