Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix a possible shell command injection in the linux.service action #4675

Merged
merged 5 commits into from
May 14, 2019
Merged

Fix a possible shell command injection in the linux.service action #4675

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
80cd407
Fix possible shell injection in linux.service action.
Kami May 13, 2019
1177876
Add changelog entry for it.
Kami May 13, 2019
684f7a4
Update changelog entry.
Kami May 13, 2019
cd7a3fe
Update parameter description.
Kami May 13, 2019
2c830c5
Merge branch 'master' into service_action_fix
Kami May 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ Fixed

In such scenario, package / module was incorrectly loaded from Python 2 site-packages instead of
Python 3 standard library which broke such packs. (bug fix) #4658 #4674
* Fix a possible shell injection in the ``linux.service`` action. User who had access to run this
action could cause a shell command injection by passing a compromised value for either the
``service`` or ``action`` parameter. (bug fix) #4675

Reported by James Robinson (Netskope and Veracode).

3.0.0 - April 18, 2019
----------------------
Expand Down
15 changes: 10 additions & 5 deletions contrib/linux/actions/service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,20 +20,25 @@
import platform
import subprocess

from st2common.util.shell import quote_unix

distro = platform.linux_distribution()[0]

args = {'act': sys.argv[1], 'service': sys.argv[2]}
if len(sys.argv) < 3:
raise ValueError('Usage: service.py <action> <service>')

args = {'act': quote_unix(sys.argv[1]), 'service': quote_unix(sys.argv[2])}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now not strictly needed since subprocess.Popen already takes case of that when a list of args and shell=False is used.


if re.search(distro, 'Ubuntu'):
if os.path.isfile("/etc/init/%s.conf" % args['service']):
cmd = args['act'] + " " + args['service']
cmd_args = ['service', args['service'], args['act']]
elif os.path.isfile("/etc/init.d/%s" % args['service']):
cmd = "/etc/init.d/%s %s" % (args['service'], args['act'])
cmd_args = ['/etc/init.d/%s' % (args['service']), args['act']]
else:
print("Unknown service")
sys.exit(2)
elif re.search(distro, 'Redhat') or re.search(distro, 'Fedora') or \
re.search(distro, 'CentOS Linux'):
cmd = "systemctl %s %s" % (args['act'], args['service'])
cmd_args = ['systemctl', args['act'], args['service']]

subprocess.call(cmd, shell=True)
subprocess.call(cmd_args, shell=False)
2 changes: 1 addition & 1 deletion contrib/linux/actions/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
parameters:
act:
type: "string"
description: "Action to perform on service"
description: "Action to perform on service (e.g. start, stop, restart, etc.)"
position: 0
service:
type: "string"
Expand Down