Potential Errors command-line-injection Related to CWE-78 in hmi_worker.cc

[Close-Recover]

Dear developers,

When we use CodeQL (GitHub's own static code analysis tool) to analyze the project, it has reported some errors from code that may cause breakdown. And we found that these potential errors tend to exist in the project for a relatively long time. In this issue we will provide the errors form a single file modules/dreamview/backend/hmi/hmi_worker.cc, including their names, locations and analysis steps (code data flow). Hopefully they will get your attention, and we are looking forward to further communication.

System information

• OS Platform and Distribution: Linux Ubuntu 18.04
• Apollo installed from: source
• Apollo version: 9.0, but some appears in an earlier version like 9.0.0-alpha1
• Output of apollo.sh config if on master branch: no output can be given because the analysis was run just after standard installation

Steps to reproduce the issue:

• Prepare everything by following the guidance of official docs before running './apollo.sh build'
• Then use CodeQL create database command to establish database and set '--command = './apollo.sh build'', it looks like: codeql database create new-database --language=<language> --command='./apollo.sh build'
• Please note that the process needs a clean build and may take a long time to finish. Using clean command and parallelization techniques based on your hardware environment may help you make it faster

Supporting materials (screenshots, command lines, code/script snippets):

• Because of the limit of GitHub, we cannot attach the original file directly. You can contact us by email to obtain it: [email protected]
• Similar situation also happens in modules/dreamview_plus/backend/hmi/hmi_worker.cc
• Here are some errors' information that were reported as the most important, they are focused on command-line-injection, using user-supplied data in an OS command, without neutralizing special elements, can make code vulnerable to command injection, which is related to CWE-78. The <number:number> pattern means the specific location of code (e.g. read output argument novatel.c 2001:13, 'fread output argument' is code, '2001:13' is detailed location) in code file and it helps you to detect code data flow in program:

This argument to an OS command is derived from user input (string read by fgets), dangerously concatenated into call to operator+, and then passed to system(__command): fgets output argument hmi_worker.cc 920:16 *GetCommandRes hmi_worker.cc 910:13 call to GetCommandRes hmi_worker.cc 820:24 *absolute_path hmi_worker.cc 896:50 call to operator+ hmi_worker.cc 896:39 __lhs basic_string.h 5989:55 *operator+ basic_string.h 5989:5 call to operator+ hmi_worker.cc 896:64 call to operator+ hmi_worker.cc 896:70 call to operator+ hmi_worker.cc 897:53 call to operator+ hmi_worker.cc 897:79 *call to data hmi_worker.cc 900:41

This argument to an OS command is derived from user input (an environment variable), dangerously concatenated into call to operator+, and then passed to system(__command): *call to getenv environment.h 31:21 *GetEnv environment.h 29:20 call to GetEnv hmi_worker.cc 784:28 call to operator+ hmi_worker.cc 785:34 operator= output argument hmi_worker.cc 785:3 GetScenarioResourcePath output argument hmi_worker.cc 1234:27 *directory_path hmi_worker.cc 1240:37 call to operator+ hmi_worker.cc 1240:35 *call to data hmi_worker.cc 1243:27

This argument to an OS command is derived from user input (an environment variable), dangerously concatenated into call to operator+, and then passed to system(__command): *call to getenv environment.h 31:21 *GetEnv environment.h 29:20 call to GetEnv hmi_worker.cc 1318:28 call to operator+ hmi_worker.cc 1319:23 operator= output argument hmi_worker.cc 1319:3 GetRecordPath output argument hmi_worker.cc 1416:17 *record_path hmi_worker.cc 1439:37 call to operator+ hmi_worker.cc 1439:35 *call to data hmi_worker.cc 1440:27