Closed Sim4n6 closed 1 year ago
ghsecuritylab
commented
1 year ago Your submission is now in status Test run.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
xcorail
commented
1 year ago Hi @Sim4n6,
Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined this query is too much of an edge case to be included into the CodeQL query suites. We don't deny that the vulnerabilities this query tries to cover can occur in reality. However, the use of local flow sources as this query currently does makes only limited sense for a more general application as part of a query suite. If an attacker is able to exploit such a vulnerability with a local flow source (e.g. by passing in values on the command line), it seems likely that they are already operating from an elevated position. As confirmed by our tests of your query at scale, it's unlikely that the query could yield interesting results when only using remote flow sources. Therefore it's not eligible for a reward under the Bug Bounty program, as our goal is to scale vulnerablity detection.
Best regards and happy hacking!
ghsecuritylab
commented
1 year ago Your submission is now in status Closed.
For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Sim4n6
commented
1 year ago No problem @xcorail.
By the way, it caught something interesting... a medium-severity vulnerability that can be exploited in CI/CD env from a CLI input source. It will be published by October. I will let you know the outcome for sure.
Query PR
https://github.com/github/codeql/pull/13640
Language
Python
CVE(s) ID list
CWE
CWE-074
Report
What is the vulnerability? Arbitrary Configuration Injection: Not correctly sanitizing user input before using it to set configuration values into the user's configuration file can lead to arbitrary configuration injection. Under some circumstances, this may result in arbitrary code execution. Directly writing user input coming from an HTTP request parameter or straight from the command-line input into the user's configuration file, without properly sanitizing the input first, would lead to arbitrary configuration injection vulnerability. This, in turn, may permit to achieve of arbitrary code execution, via configuration values that specify executables, such as
core.pager,core.editor, and so on.How does the vulnerability work?
\rthat would get slipped into the configuration file. It would lead to the injection of a key and a value, like this:aaaa\rk1 = v1.What strategy do you use in your query to find the vulnerability?
set()or not commonadd_section()to the configuration file.\ris replaced or deleted within the section, the option or the value.How have you reduced the number of false positives ?
os.path.dirname(). I don't know if I add it as a sanitizer or not.other information?
\r.Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
https://sim4n6.beehiiv.com