Pydpiper currently suffers from a number of command injection issues. This should be considered more a reliability than a security issue since Pydpiper is meant to be run by users and not offered as a service to arbitrary users, and anyway the potential fixes (e.g. quoting via shlex.quote) may not be entirely secure.
Known parts of Pydpiper where this is an issue:
[ ] as of 2.0.16, we use Jinja2 templates to generate most shell commands but don't use shell escaping in the templates;
[ ] the flags --executor-wrapper, --command-wrapper, and --use-singularity simply generate larger bash commands, losing one level of escaping in the nested (sub)-command;
[ ] we hand generate single quotesto escape the square brackets in ANTs commands; this seems unreliable and it would be nice not to have to do this (although in fact it's probably unnecessary since the square brackets don't actually get (mis)-interpreted even when passed through bash)
[ ] flags are currently passed to executors on the command line, which seems like a hack and should probably be changed;
Pydpiper currently suffers from a number of command injection issues. This should be considered more a reliability than a security issue since Pydpiper is meant to be run by users and not offered as a service to arbitrary users, and anyway the potential fixes (e.g. quoting via
shlex.quote) may not be entirely secure.Known parts of Pydpiper where this is an issue: