Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible parameter injection in search query #266

Closed
mijorus opened this issue May 2, 2022 · 7 comments
Closed

Possible parameter injection in search query #266

mijorus opened this issue May 2, 2022 · 7 comments
Labels
staging

Comments

@mijorus
Copy link

mijorus commented May 2, 2022

bauh/bauh/commons/system.py

Line 215 in 8a81ae4

def run_cmd(cmd: str, expected_code: int = 0, ignore_return_code: bool = False, print_error: bool = True,

Hi,
I was checking the code and it looks like there isn't any sort of input sanification.
In fact, if I run a search something like --user or --not-a-param it throws an error.

I don't know it this could have security implications, my guess is that it could as someone who knows the shell better than me might inject some code into it and run external commands using interpolation (?)

Or maybe I am wrong.
@vinifmor
Copy link
Owner

vinifmor commented May 2, 2022

The search's command injection is possible indeed. Since bauh's input interface is an UI, it would require an attacker to gain full access to your desktop session and uses bauh to perform the attack (in this scenario, bauh would be your minor problem :) ). Considering the attack possibility and probability, I see this vulnerability as a a minor security issue.

Not all back-ends use this function to query, but I'm going to add a sanitization code anyway.

@mijorus
Copy link
Author

mijorus commented May 2, 2022

more than injection, I would rather speak of unwanted sideeffects.

For example, searching for music -player is enough to make it crash, as -player is seen as an option.

I tested and for some reason flatpak does not like quotes, ex: flatpak search "music player" returns empty

@vinifmor
Copy link
Owner

vinifmor commented May 2, 2022

Ok, could you attach logs so we can trace the crash cause ?

@vinifmor
Copy link
Owner

vinifmor commented May 2, 2022

(the sanitization code is already on the staging branch -> c0fde36)

@mijorus
Copy link
Author

mijorus commented May 2, 2022

When searching for music -player

QSocketNotifier: Can only be used with threads started with QThread
error: Unknown option -player
Exception in thread Thread-68 (_search):
Traceback (most recent call last):
  File "/usr/lib/python3.10/threading.py", line 1009, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.10/threading.py", line 946, in run
    self._target(*self._args, **self._kwargs)
  File "/home/altravia/.local/lib/python3.10/site-packages/bauh/view/core/controller.py", line 144, in _search
    apps_found = man.search(words=word, disk_loader=disk_loader, is_url=is_url, limit=-1)
  File "/home/altravia/.local/lib/python3.10/site-packages/bauh/gems/flatpak/controller.py", line 103, in search
    apps_found = flatpak.search(flatpak.get_version(), words, remote_level)
  File "/home/altravia/.local/lib/python3.10/site-packages/bauh/gems/flatpak/flatpak.py", line 335, in search
    split_res = res.strip().split('\n')
AttributeError: 'NoneType' object has no attribute 'strip'

@mijorus
Copy link
Author

mijorus commented May 2, 2022

This happens because -player is not recognised as an valid parameter, run_cmd fails and there is no try except

@mijorus mijorus mentioned this issue May 2, 2022
Closed
@mijorus
Copy link
Author

mijorus commented May 2, 2022

#267

@vinifmor vinifmor mentioned this issue May 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
staging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vinifmor @mijorus