But since we pass user content (the addonPath) this strikes me as unsafe. We need to set the option, so there is no other way. Do you think it is enough to just resolve the paths using path.resolve() to sanitize them? I mean, in the end we allow users to set addons which execute any code they like so in this particular case I guess there is no added security risk?
In order to pass the
--set hardump
option to mitmproxy, we need to setexeca()
to shell mode:https://github.com/tweaselORG/cyanoacrylate/blob/5ae684cadd51e8bf76f569dddb9f868968687d6d/src/index.ts#L391
But since we pass user content (the
addonPath
) this strikes me as unsafe. We need to set the option, so there is no other way. Do you think it is enough to just resolve the paths usingpath.resolve()
to sanitize them? I mean, in the end we allow users to set addons which execute any code they like so in this particular case I guess there is no added security risk?