Vulnerable to command injection

[WaldoSRHS]

There is no filtering of user input or a whitelist of allowed commands so this is vulnerable to command injection exploits.

Recommend either a whitelist of allowed commands and reject all other user commands, or set your pg_hba.conf to only allow known hosts.

I'm not a Postgress expert but adding the following line below your current settings may achieve this.

# TYPE DATABASE USER ADDRESS METHOD host all all samenet trust

[nikaro]

Hello,

Thank you for reporting this. I'm currently on holiday and will take a look as soon as possible.

Actually in our setup, we allow (by firewall rules) only trusted hosts (applications & replicas) to execute queries. I recommend to do the same.

[WaldoSRHS]

Appreciate your note. I should have stated that nothing was really wrong with the core script but that for the novice they might want to consider hardening their system during implementation. I’m new to GitHub so not sure how best to communicate that. I’m open to modifying my comments as long as you have a place where this sort of vulnerability Is mentioned.

Thanks -

From: Nicolas Karolak notifications@github.com Sent: Wednesday, October 17, 2018 10:07 PM To: UbiCastTeam/rephacheck rephacheck@noreply.github.com Cc: Chris Heinlein Chris.Heinlein@comtechtel.com; Author author@noreply.github.com Subject: Re: [UbiCastTeam/rephacheck] Vulnerable to command injection (#1)

Hello,

Thank you for reporting this. I'm currently on holiday and will take a look as soon as possible.

Actually in our setup, we allow (by firewall rules) only trusted hosts (applications & replicas) to execute queries. I recommend to do the same.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/UbiCastTeam/rephacheck/issues/1#issuecomment-430876554, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AqMNFnMjcUnOJkoWwOUV4Q0N6WbrbQHUks5umAxrgaJpZM4XkwDq.

NOTICE TO RECIPIENT: This email, including attachments, may contain information which is confidential, proprietary, attorney-client privileged and / or controlled under U.S. export laws and regulations and may be restricted from disclosure by applicable State and Federal law. Nothing in this email shall create any legal binding agreement between the parties unless expressly stated herein and provided by an authorized representative of Comtech Telecommunications Corp. or its subsidiaries. If you are not the intended recipient of this message, be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify us immediately by return email and permanently delete all copies of the original email and any attached documentation from any computer or other media.