Skip to content
This repository has been archived by the owner on Jul 25, 2022. It is now read-only.

Sanitize user input when executing local commands #267

Open
petersutter opened this issue Aug 21, 2020 · 6 comments · Fixed by #313 or #314
Open

Sanitize user input when executing local commands #267

petersutter opened this issue Aug 21, 2020 · 6 comments · Fixed by #313 or #314
Labels
kind/epic Large multi-story topic lifecycle/rotten Nobody worked on this for 12 months (final aging stage)

Comments

@petersutter
Copy link
Contributor

User input should be sanitized before local command execution, otherwise there is a possibility for command injection.

E.g. see this code
https://github.com/gardener/gardenctl/blob/3ff05d6244a4cc19d618a55037dfd0ac1b9b31b8/pkg/cmd/ssh_alicloud.go#L202

a.MyPublicIP is determined by calling an external service
https://github.com/gardener/gardenctl/blob/3ff05d6244a4cc19d618a55037dfd0ac1b9b31b8/pkg/cmd/miscellaneous.go#L327-L331

If this service returns a command instead of an IP, I assume that this command would get executed as per code above.
There are a lot of other places where local commands are executed and most of them, if not all, do not sanitize the input.

And taking another look at the above example, why is the aliyun binary not called directly with the other parameters as arguments? https://github.com/gardener/gardenctl/blob/3ff05d6244a4cc19d618a55037dfd0ac1b9b31b8/pkg/cmd/ssh_alicloud.go#L202

See also #266 to further reduce the need to execute local commands and thereby reducing the attack vector.
@neo-liang-sap
Copy link
Contributor

/assign

@dansible
Copy link
Contributor

Some comments on this in a related issue: https://github.com/gardener/gardenctl/pull/263/files#r473192089

@neo-liang-sap
Copy link
Contributor

/unassign

unassign as:

  • not started working yet, @jfortin-sap if you have more insight and availability on this feel free take it ;)
  • pending other PRs , see comment above

@tedteng tedteng mentioned this issue Sep 2, 2020
Merged
@tedteng
Copy link
Contributor

tedteng commented Sep 14, 2020

/assign

This was referenced Sep 15, 2020
Merged
Merged
@petersutter
Copy link
Contributor Author

/reopen

is every occurence really fixed now?

func ExecCmd(input []byte, cmd string, suppressedOutput bool, environment ...string) (err error) {
	var command *exec.Cmd
	parts := strings.Fields(cmd)
	head := parts[0]
	if len(parts) > 1 {
		parts = parts[1:]
	} else {
		parts = nil
	}
	command = exec.Command(head, parts...)
	...

the ExecCmd function should not be called with a cmd string and instead the caller should pass the name and arguments directly for exec.Command, otherwise an attacker could sneak in arguments

@tedteng tedteng mentioned this issue Sep 22, 2020
Closed
@neo-liang-sap neo-liang-sap mentioned this issue Sep 22, 2020
Closed
This was referenced Sep 22, 2020
Closed
Closed
Closed
Open
Open
@tedteng
Copy link
Contributor

tedteng commented Sep 22, 2020

/epic Please do not close this ticket which as epic ticket tracking all the sub-tasks.

@gardener-robot gardener-robot added the kind/epic Large multi-story topic label Sep 22, 2020
@tedteng tedteng removed their assignment Sep 22, 2020
@neo-liang-sap neo-liang-sap mentioned this issue Sep 22, 2020
Closed
@tedteng tedteng mentioned this issue Sep 28, 2020
Open
@gardener-robot gardener-robot added the lifecycle/stale Nobody worked on this for 6 months (will further age) label Nov 22, 2020
@gardener-robot gardener-robot added lifecycle/rotten Nobody worked on this for 12 months (final aging stage) and removed lifecycle/stale Nobody worked on this for 6 months (will further age) labels Sep 22, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/epic Large multi-story topic lifecycle/rotten Nobody worked on this for 12 months (final aging stage)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sanitize_267_download_refactor tedteng/gardenctl
sanitize_267_ls_refactor tedteng/gardenctl
5 participants
@petersutter @dansible @tedteng @neo-liang-sap @gardener-robot