apollo icon indicating copy to clipboard operation
apollo copied to clipboard
verified publisher icon ApolloAuto

A kind reminder: shell-command-injection-from-environment in gen.js

Open Vage9 opened this issue 1 year ago • 0 comments

System information

  • OS Platform and Distribution): Linux Ubuntu 18.04
  • Apollo installed from: source, in docker
  • Apollo version: 9.0, the problem stays in the latest master branch
  • Output of apollo.sh config if on master branch: root@in-dev-docker:/apollo# ./apollo.sh config [INFO] No rocm-smi found. [INFO] NVIDIA GPU device found. [INFO] Apollo Environment Settings: [INFO] APOLLO_ROOT_DIR: /apollo [INFO] APOLLO_CACHE_DIR: /apollo/.cache [INFO] APOLLO_IN_DOCKER: true [INFO] APOLLO_VERSION: master-2024-05-23-54c820207c [INFO] DOCKER_IMG: dev-x86_64-18.04-20240326_1453 [INFO] APOLLO_ENV: STAGE=dev USE_ESD_CAN=false [INFO] USE_GPU_HOST: 1 [INFO] USE_GPU_TARGET: 1 [INFO] GPU_PLATFORM: NVIDIA [INFO] Configure .apollo.bazelrc in non-interactive mode [INFO] You have bazel 5.2.0 installed. [INFO] Found possible Python library paths: /usr/lib/python3/dist-packages /usr/local/lib/python3.6/dist-packages [INFO] Found CUDA 11.1 in: /usr/local/cuda-11.1/targets/x86_64-linux/lib /usr/local/cuda-11.1/targets/x86_64-linux/include [INFO] Found cuDNN 8 in: /usr/lib/x86_64-linux-gnu /usr/include [INFO] Found TensorRT 7 in: /usr/lib/x86_64-linux-gnu /usr/include/x86_64-linux-gnu [ OK ] Successfully configured .apollo.bazelrc in non-interactive mode. [INFO] Usage: /apollo/scripts/apollo_config.sh [Options] [INFO] Options: [INFO] -i|--interactive Run in interactive mode [INFO] -n|--noninteractive Run in non-interactive mode [INFO] -h|--help Show this message and exit

Steps to reproduce the issue:

  • I use CodeQL scan the code directly.

Supporting materials (screenshots, command lines, code/script snippets):

You can get raw data in a repository: https://github.com/Close-Recover/ADS-Code-Test-Results/tree/main I'll take out the related information as follows: In modules/dreamview_plus/frontend/packages/dreamview/scripts/gen.js: path.re ... ../..') 8:23 DREAMVIEW_DIR 8:7 DREAMVIEW_DIR 16:3 `\n${'.. ... PATH}\n` 14:23 generateProto 14:7 generateProto 25:6

and: path.re ... le.js') 10:37 DREAMVIEW_PROTO_BUNDLE_PATH 10:7 DREAMVI ... LE_PATH 21:34 `\n${'.. ... PATH}\n` 20:29 generateDeclaration 20:7 generateDeclaration 39:10 In these two places, building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities. And I think they are related to CWE-078 (https://cwe.mitre.org/data/definitions/78.html, https://www.kiuwan.com/docs/display/K5/CWE-78+%3A+OS+Command+Injection).

Vage9 avatar May 26 '24 15:05 Vage9