search

isard-vdi / isard

Isard VDI. Open Source KVM Virtual Desktops based on KVM Linux and dockers. Please use https://gitlab.com/isard/isardvdi
http://www.isardvdi.com
GNU Affero General Public License v3.0
188 stars 57 forks source link

Possible OS command injection in code #442

Open openrefactory opened 1 year ago

openrefactory commented 1 year ago

In file: api_hypervisors.py, there is a method that is vulnerable to attacks which can execute arbitrary operating system(OS) commands. Here is the flow in the code that leads to the possible OS Command Injection.

The taint starts from HypervisorsView.py file, line 84. Here variable port is assigned a tainted value from an external source.

port = request.form.get("port", default="2022", type=str)

In that same file (HypervisorsView.py), line 129, the tainted information is passed through a method call via port to the formal parameter port of the method.

Then in api_hypervisors.py file, line 103, the tainted information is passed through a method call via port to the formal parameter port of the method. Similarly the information passes in line 172 of the same file.

Finally, in line 306, the tainted information is passed through a method invocation and is used in a sink.

The data should be sanitized to remove the problem. No fix was given.

openrefactory commented 1 year ago

There are two other places where the same tainted data flows. In total there are three places in code where port is being assigned from request.form and used in a taint sink subprocess.check_output.

All of them are marked.