Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v15] Quote user supplied inputs provided to scripts to avoid RCE #39837

Merged
merged 3 commits into from Mar 26, 2024
Merged

[v15] Quote user supplied inputs provided to scripts to avoid RCE #39837

merged 3 commits into from Mar 26, 2024

Conversation

jentfoo
Copy link
Member

@jentfoo jentfoo commented Mar 26, 2024

Backport #39644 to branch/v15

changelog: Fix for possible phishing links which could result in code execution with install and join scripts

@jentfoo
Quote user supplied inputs provided to scripts to avoid RCE
df7910b 
This change introduces the func `utils.UnixShellQuote` which will quote any inputs which could potentially allow execution or script escape.
This is utilized to ensure that scripts produced from a potential Phishing link could not contain code execution which may expose a user.
@jentfoo
awsAccessGraphOIDCSync: Ensure role parameter is quoted correctly
6b3ae00
@jentfoo
join_tokens: Move shell quote to getJoinScript rather than where pa…
161313b 
…rameters are extracted

This will increase safety moving forward, but it requires a more conservative quoting strategy.
@jentfoo jentfoo self-assigned this Mar 26, 2024
@jentfoo jentfoo added this pull request to the merge queue Mar 26, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 26, 2024
@jentfoo jentfoo added this pull request to the merge queue Mar 26, 2024
Merged via the queue into branch/v15 with commit 89a4da5 Mar 26, 2024
34 checks passed
@jentfoo jentfoo deleted the bot/backport-39644-branch/v15 branch March 26, 2024 16:21
@tcsc tcsc mentioned this pull request Mar 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@AntonAM AntonAM AntonAM approved these changes

@tigrato tigrato tigrato approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

@jentfoo jentfoo

Labels
backport size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jentfoo @marcoandredinis @AntonAM @tigrato @rosstimothy