@@ -486,24 +486,38 @@ def __build_windows_cmdline(self):
486486
487487 @staticmethod
488488 def __validate_target (target ):
489- # See https://nmap.org/book/man-target-specification.html for all the
490- # ways targets can be specified
489+ """
490+ Check if a provided target is valid. This function was created
491+ in order to address CVE-2022-30284
492+
493+ See https://nmap.org/book/man-target-specification.html for all the
494+ ways targets can be specified
495+
496+ This function verifies the following:
497+
498+ - matches the user specified target against a list of allowed chars
499+ - check if dashes are used at the start or at the end of target
500+
501+ FQDN can contain dashes anywhere except at the beginning or end
502+ This check also fixes/prevents CVE-2022-30284, which depends on being
503+ able to pass options such as --script as a target
504+
505+ :return: False if target contains forbidden characters
506+ """
491507 allowed_characters = frozenset (
492508 string .ascii_letters + string .digits + "-.:/% "
493509 )
494510 if not set (target ).issubset (allowed_characters ):
495511 raise Exception (
496512 "Target '{}' contains invalid characters" .format (target )
497513 )
498- # FQDN can contain dashes anywhere except at the beginning or end
499- # This check also fixes/prevents CVE-2022-30284, which depends on being
500- # able to pass options such as --script as a target
501514 elif target .startswith ("-" ) or target .endswith ("-" ):
502515 raise Exception (
503516 "Target '{}' cannot begin or end with a dash ('-')" .format (
504517 target
505518 )
506519 )
520+ return True
507521
508522 @property
509523 def command (self ):
0 commit comments