Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve bash escape code #31

Open
Marak opened this issue Feb 17, 2017 · 1 comment
Open

Improve bash escape code #31

Marak opened this issue Feb 17, 2017 · 1 comment
Labels
bug

Comments

@Marak
Copy link
Collaborator

Marak commented Feb 17, 2017
edited
Loading

It seems it's possible to execute arbitrary bash commands through HTTP parameters when using bash services ( and other possible languages too ).

This isn't intended behavior and should be fixed.

The actual security implications would be determined by the configuration of the server environment microcule is running on. For hook.io, it's not really a problem ( since workers running code are secure on the operating system level ), but it could cause issues for on non-secure systems running untrusted source code.
@Marak Marak added the bug label Feb 17, 2017
Marak added a commit that referenced this issue Feb 18, 2017
@Marak
[api] [security] [fix] Ensure backticks escape
ae64781 
  * Fixes eval issue for for perl and bash #31
  * Should be working for some cases, but not all
  * Requires additional review
@gregory
Copy link

gregory commented Mar 14, 2017

well, it's not only about running commands. I'm not sure that people would want to reveal the environment variables of the running process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Marak @gregory