Home
Script-server is a Web UI for scripts.
As an administrator, you add your existing scripts into Script server and other users would be able to execute them via a web interface. The UI is very straightforward and can be used by non-tech people.
No script modifications are needed - you configure each script in Script server and it creates the corresponding UI with parameters and takes care of validation, execution, etc.
- Different types of script parameters (text, flag, dropdown, file upload, etc.)
- Real-time script output
- Users can send input during script execution
- Auth (optional): LDAP, Google OAuth, htpasswd file
- Access control
- Alerts
- Logging and auditing
- Formatted output support (colors, styles, caret positioning)
- Download of script output files
- Execution history
- Admin page for script configuration
For more details check how to configure a script or how to configure the server
Python 3.5 or higher with the following modules:
- Tornado 4 / 5 / 6
Some features can require additional modules. Such requirements are specified in a corresponding feature description.
OS support:
- Linux (main). Tested and working on Debian 9,10
- Windows (additional). Light testing
- macOS (additional). Light testing
Any more or less up to date browser with enabled JS
Internet connection is not needed. All the files are loaded from the server.
- Download script-server.zip file from Latest release
- Create script-server folder anywhere on your PC and extract zip content to this folder
- Clone/download the repository
- Run 'tools/init.py --dev' script (this will download javascript libraries)
- Create configurations for your scripts in conf/runners/ folder (see script config page for details)
- Launch launcher.py from script-server folder
- Windows command: launcher.py
- Linux command: ./launcher.py
- Add/edit scripts on the admin page
By default, the server will run on http://localhost:5000
All the features listed above and some other minor features can be configured in conf/conf.json file. It is allowed not to create this file. In this case, default values will be used. See server config page for details
Admin panel is accessible on admin.html page (e.g. http://localhost:5000/admin.html)
All web/operating logs are written to the logs/server.log Additionally each script logs are written to separate file in logs/processes. File name format is {script_name}_{client_address}_{date}_{time}.log.
Script-server has bundled configs/scripts for testing/demo purposes, which are located in samples folder. You can link/copy these config files (samples/configs/*.json) to server config folder (conf/runners).
I do my best to make script-server secure and invulnerable to attacks, injections or user data security. However to be on the safe side, it's better to run Script server only on a trusted network.
Any security leaks report or recommendations are greatly appreciated!
Script server guarantees that all user parameters are passed to an executable script as arguments and won't be executed under any conditions. There is no way to inject fraud command from a client-side. However user parameters are not escaped, so scripts should take care of not executing them also (general recommendation for bash is at least to wrap all arguments in double-quotes). It's recommended to use typed parameters when appropriate, because they are validated for proper values and so they are harder to be subject of commands injection. Such attempts would be easier to detect also.
Important! Command injection protection is fully supported for Linux, but only for .bat and .exe files on Windows
At the moment script server is vulnerable to these attacks.
