microcule icon indicating copy to clipboard operation
microcule copied to clipboard

Published 20 hours ago verified publisher icon stackvana

Improve bash escape code

Open Marak opened this issue 8 years ago • 1 comments

It seems it's possible to execute arbitrary bash commands through HTTP parameters when using bash services ( and other possible languages too ).

This isn't intended behavior and should be fixed.

The actual security implications would be determined by the configuration of the server environment microcule is running on. For hook.io, it's not really a problem ( since workers running code are secure on the operating system level ), but it could cause issues for on non-secure systems running untrusted source code.

Marak avatar Feb 17 '17 19:02 Marak

well, it's not only about running commands. I'm not sure that people would want to reveal the environment variables of the running process.

gregory avatar Mar 14 '17 08:03 gregory