Closed heck-gd closed 3 weeks ago
By the way, the same commit adds a shell command injection with this line if you control zip_path
:
p = subprocess.Popen(" ".join(["7z", "x", zip_path, "-o" + dst_path, "-y" , ">" , "/dev/nul"]), stdout=subprocess.PIPE, shell=True)
hello this commit is by mistake left after testing, Regarding the 7z, it is used to avoid using the zipfile in python since it give error sometime when decompressing zip files. I think it is issue with ZipFile in python 2.7
Hi saleh,
The point is that using " ".join(...)
AND shell=True
is highly insecure. You can just pass a list directly as first Popen
parameter rather than joining a string, which will cause all arguments to be quoted properly.
subprocess.Popen(["7z", "x", zip_path, "-o", dst_path, "-y"], stdout=subprocess.PIPE)
alot of security concerns not taken into consideration, the assumption is that kuiper is running in closed environment, if somebody want to run malicious code it is possible to upload it as new parser :)
In commit https://github.com/DFIRKuiper/Kuiper/commit/ebbc5b74fb8ea5e2cdf91809e07d97d0ac60f426 the functionality for removing raw files from disk after extraction was commented.
Was this done on purpose? It looks like it may have been a test and you forgot to put it back before committing.