dangerous-exec-command

[SbruiceS]

Description

Detected non-static command inside Command. Audit the input to exec.Command. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

[core/container/externalbuilder/externalbuilder.go#L401)

func (b *Builder) NewCommand(name string, args ...string) *exec.Cmd {
cmd := exec.Command(name, args...)
propagationList := appendDefaultPropagateEnvironment(b.PropagateEnvironment)
for _, key := range propagationList {
if val, ok := os.LookupEnv(key); ok {
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, val))
}
}
return cmd
}

References

https://owasp.org/Top10/A03_2021-Injection

Steps to reproduce

No response

[SbruiceS]

also in this - integration/nwo/command.go:28
integration/nwo/network.go:1225

[denyeart]

In practice the only actor that could do this is the peer admin. If the peer admin is malicious you've got bigger problems. That being said, we would welcome pull requests to audit the input.