Closed heck-gd closed 3 weeks ago
heck-gd
commented
2 months ago By the way, the same commit adds a shell command injection with this line if you control zip_path:
p = subprocess.Popen(" ".join(["7z", "x", zip_path, "-o" + dst_path, "-y" , ">" , "/dev/nul"]), stdout=subprocess.PIPE, shell=True)
salehmuhaysin
commented
1 month ago hello this commit is by mistake left after testing, Regarding the 7z, it is used to avoid using the zipfile in python since it give error sometime when decompressing zip files. I think it is issue with ZipFile in python 2.7
heck-gd
commented
1 month ago Hi saleh,
The point is that using " ".join(...) AND shell=True is highly insecure. You can just pass a list directly as first Popen parameter rather than joining a string, which will cause all arguments to be quoted properly.
subprocess.Popen(["7z", "x", zip_path, "-o", dst_path, "-y"], stdout=subprocess.PIPE)alot of security concerns not taken into consideration, the assumption is that kuiper is running in closed environment, if somebody want to run malicious code it is possible to upload it as new parser :)
In commit https://github.com/DFIRKuiper/Kuiper/commit/ebbc5b74fb8ea5e2cdf91809e07d97d0ac60f426 the functionality for removing raw files from disk after extraction was commented.
Was this done on purpose? It looks like it may have been a test and you forgot to put it back before committing.