baltpeter
commented
1 year ago I don't think that's true:
This worked without --shell. Pretty sure the problem is the space, you have to split that into two arguments.
Closed zner0L closed 1 year ago
baltpeter
commented
1 year ago I don't think that's true:
This worked without --shell. Pretty sure the problem is the space, you have to split that into two arguments.
zner0L
commented
1 year ago Aaah, you're right! Thank you!
In order to pass the
--set hardumpoption to mitmproxy, we need to setexeca()to shell mode:https://github.com/tweaselORG/cyanoacrylate/blob/5ae684cadd51e8bf76f569dddb9f868968687d6d/src/index.ts#L391
But since we pass user content (the
addonPath) this strikes me as unsafe. We need to set the option, so there is no other way. Do you think it is enough to just resolve the paths usingpath.resolve()to sanitize them? I mean, in the end we allow users to set addons which execute any code they like so in this particular case I guess there is no added security risk?