OmniParser icon indicating copy to clipboard operation
OmniParser copied to clipboard
verified publisher icon microsoft

fix uncontrolled command line main

Open odaysec opened this issue 7 months ago • 1 comments

https://github.com/microsoft/OmniParser/blob/5171b092483ab3e74ca50b9357e225f9f3571f18/omnitool/omnibox/vm/win11setup/setupscripts/server/main.py#L36-L49

Fix the issue, we need to validate and restrict the commands that can be executed. This can be achieved by implementing an allowlist of permitted commands and their arguments. The allowlist ensures that only predefined, safe commands can be executed, regardless of user input. Additionally, we should avoid using shell=True unless absolutely necessary.

Code that passes user input directly to exec, eval, or some other library routine that executes a command, allows the user to execute malicious code.

Steps to fix:

  1. Define an allowlist of permitted commands and their arguments.
  2. Validate the user-provided command against the allowlist.
  3. Reject or sanitize any commands that do not match the allowlist.
  4. Remove or restrict the use of shell=True.

odaysec avatar May 19 '25 03:05 odaysec

@microsoft-github-policy-service agree

odaysec avatar May 19 '25 03:05 odaysec