Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] security: OS Command Injection vulnerability (x2) #1219 #1227

Merged
merged 7 commits into from
Apr 18, 2024
Merged

[FIX] security: OS Command Injection vulnerability (x2) #1219 #1227

merged 7 commits into from
Apr 18, 2024

Conversation

0xtejas
Copy link
Contributor

@0xtejas 0xtejas commented Apr 8, 2024
edited
Loading

This code is resistant to command injection because it uses the subprocess.run() function with a list of arguments instead of a single-string command.

When you pass a list of arguments to a subprocess.run(), Python will not invoke a shell to execute the command. This means that shell metacharacters such as ;, &&, || etc., which could be used to inject additional commands, are treated as literal characters and not interpreted by the shell.

In this case, the URL variable is passed as a separate argument to the command, so even if it contains shell metacharacters, they will not be interpreted as such. This makes the command resistant to command injection attacks.

I have re-tested using the POC and it did not spawn the shell. However, I'd suggest performing a little more extensive test. Let me know if you find anything.

@0xtejas 0xtejas mentioned this pull request Apr 8, 2024
Closed
1 task
fopina
fopina reviewed Apr 16, 2024
View reviewed changes
web/reNgine/common_func.py Outdated Show resolved Hide resolved
@0xtejas @fopina
Update web/reNgine/common_func.py
825dad0 
Removing F-String format.

Co-authored-by: Filipe Pina <[email protected]>
@fopina
Copy link
Contributor

fopina commented Apr 16, 2024

@yogeshojha security vulnerabilities in security products should have more priority than other products 😄

@yogeshojha
Copy link
Owner

Hi @0xtejas Thank you for reporting this.
However instead of using new subprocess command, we have run_command function that solves this issue. I will use this MR and make changes.

Thank you again for reporting.

@yogeshojha
Copy link
Owner

yogeshojha commented Apr 17, 2024
edited
Loading

@0xtejas @sa7mon thank you for reporting this and also sending a PR.

If any of you have time, can you please go through the changes and test it again?

Hopefully, there shouldn't be any issue because run_command is one of the functions that we have used almost everywhere to run the command, and I remember testing this in the path. Under the hood, it uses subprocess.Popen

Let me know if you find something, if not I will merge this tomorrow.

@yogeshojha yogeshojha closed this Apr 17, 2024
@yogeshojha yogeshojha reopened this Apr 17, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 17, 2024
View reviewed changes
web/api/views.py
except Exception as e:
response = {'status': False, 'message': str(e)}
return Response(response)
return Response(response)

Check warning

Code scanning / CodeQL

Information exposure through an exception Medium

Stack trace information
Loading
flows to this location and may be exposed to an external user.
@fopina
Copy link
Contributor

fopina commented Apr 17, 2024

Hi @yogeshojha to comment on the run_command function: while using str.split and shell=False resolves the injection issue, it breaks functionality, eg: scanner -n "quoted arg" bla1 bla2. This likely fails in that code.

There's shlex.split that you could use there to better split the strings, but usually that's only used when you really need to take a full command line as input.

If you only take single arguments as user input, it's cleaner, more secure and more performant to use all the execv family functions by calling subprocess with a manually-controlled/hardcoded list of arguments (and shell=False).

I plan to change my fork to do that:

  • change all calls to pass list of args instead of command line str
  • store commands in DB with json.dumps of command line instead

Would that change make sense to push upstream?

@yogeshojha
Copy link
Owner

Hi @fopina sounds good to me.

For this issue, I will go ahead and continue to use run_command, since this function is being used almost everywhere, when you make changes, I guess testing it thoroughly will take some time.

So until then, I will be going ahead with this approach and will be waiting for your changes.

Thanks

@yogeshojha yogeshojha merged commit 8bd6b02 into yogeshojha:master Apr 18, 2024
7 of 9 checks passed
@psyray psyray mentioned this pull request Sep 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yogeshojha yogeshojha yogeshojha approved these changes

@fopina fopina fopina approved these changes

Assignees
No one assigned
Labels
release/2.0.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0xtejas @fopina @yogeshojha