fabric icon indicating copy to clipboard operation
fabric copied to clipboard
verified publisher icon hyperledger

dangerous-exec-command

Open SbruiceS opened this issue 1 year ago • 2 comments

Description

Detected non-static command inside Command. Audit the input to exec.Command. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

[core/container/externalbuilder/externalbuilder.go#L401)

func (b *Builder) NewCommand(name string, args ...string) *exec.Cmd { cmd := exec.Command(name, args...) propagationList := appendDefaultPropagateEnvironment(b.PropagateEnvironment) for _, key := range propagationList { if val, ok := os.LookupEnv(key); ok { cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, val)) } } return cmd }

References

https://owasp.org/Top10/A03_2021-Injection

Steps to reproduce

No response

SbruiceS avatar Dec 10 '24 03:12 SbruiceS

also in this - integration/nwo/command.go:28 integration/nwo/network.go:1225

SbruiceS avatar Dec 10 '24 03:12 SbruiceS

In practice the only actor that could do this is the peer admin. If the peer admin is malicious you've got bigger problems. That being said, we would welcome pull requests to audit the input.

denyeart avatar Dec 23 '24 03:12 denyeart