Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: validate urls before opening them [AEM-04] #2257

Closed
rofe opened this issue Oct 17, 2023 · 3 comments · Fixed by #2258
Closed

fix: validate urls before opening them [AEM-04] #2257

rofe opened this issue Oct 17, 2023 · 3 comments · Fixed by #2258
Assignees
@tripodsan
Labels
bug Something isn't working released security

Comments

@rofe
Copy link
Contributor

rofe commented Oct 17, 2023

Description
Follow up to #2149 from remediation:

We noted that such URL‐encoding was not applied for the hlx up or hlx import command. It is therefore still possible to inject OS commands. The following commands will run calc.exe on the host machine:

1 $ aem up --open 'https://$(calc.exe)'
2 ...
3
4 info: Starting AEM dev server v15.0.1
5 info: Local AEM dev server up and running: http://localhost:3000/
6 info: Enabled reverse proxy to https://main--retest-website1--username.hlx.page
7 opening default browser: https://$(calc.exe)/
8 $ aem import --open 'https://$(calc.exe)'
9 ...
10
11 AEM Importer UI needs to be installed.
12 Cloning https://github.com/adobe/helix-importer-ui in /tmp/retest-website1/tools/importer.
13 AEM Importer UI is ready. v1.46.1
14 info: Starting AEM dev server v15.0.1
15 info: Local AEM dev server up and running: http://localhost:3001/
16 opening default browser: https://$(calc.exe)/

Expected behavior
OS command injection prevented
@rofe rofe added bug Something isn't working security labels Oct 17, 2023
@tripodsan tripodsan self-assigned this Oct 18, 2023
@tripodsan
Copy link
Contributor

tripodsan commented Oct 18, 2023
edited
Loading

I can reproduce it on windows:

image

but not on macos no linux:

image

I guess we just validate the hostname

@tripodsan
Copy link
Contributor

related: sindresorhus/open#323

tripodsan added a commit that referenced this issue Oct 18, 2023
@tripodsan
fix: reject dangerous url characters (--open)
bb9f3f1 
fixes #2257
@tripodsan tripodsan mentioned this issue Oct 18, 2023
Merged
tripodsan added a commit that referenced this issue Oct 18, 2023
@tripodsan
fix: reject dangerous url characters (--open) (#2258)
25df8e8 
fixes #2257
tripodsan pushed a commit that referenced this issue Oct 18, 2023
@semantic-release-bot
chore(release): 15.0.2 [skip ci]
e274252 
## [15.0.2](v15.0.1...v15.0.2) (2023-10-18)

### Bug Fixes

* reject dangerous url characters (--open) ([#2258](#2258)) ([25df8e8](25df8e8)), closes [#2257](#2257)
@tripodsan
Copy link
Contributor

🎉 This issue has been resolved in version 15.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tripodsan tripodsan

Labels
bug Something isn't working released security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: reject dangerous url characters (--open) adobe/helix-cli
2 participants
@tripodsan @rofe