search

Node-Virtualization / node-virtualbox

A JavaScript Library for Interacting with VirtualBox
MIT License
259 stars 68 forks source link

Potential for Arbitrary Command Injection #29

Closed archcloudlabs closed 8 years ago

archcloudlabs commented 8 years ago

the functions below in virtualbox.js, could allow for a user to inject additional commands with the cmd variable (ex: "; pwd") resulting in remote command execution assuming this was public facing.

function vboxcontrol(cmd, callback) {
  command('VBoxControl ' + cmd, callback);
}

function vboxmanage(cmd, callback) {
  command(vBoxManageBinary + cmd, callback);
}
michaelsanford commented 8 years ago

Hi @jaredestroud !

This is certainly true. However, we never expected that these API would ever directly consume public, unfiltered input. As such, node-virtualbox affords no protection against it.

It shouldn't really be the responsibility of node-virtualbox to police input, because:

  1. We have no idea what virtual environment might be running behind the API, and
  2. We have no idea and take no opinion about what the developer chooses to do with their virtual environment: maybe someone actually does need to be able to run sudo rm -rf / for some reason.

We should therefore remain un-opinionated with regard to how the API is used.

Thank you for bringing this up. At the very least, I could add a note in the README to underline this behaviour for those who may not be aware.