Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14] Quote user supplied inputs provided to scripts to avoid RCE #39838

Merged
merged 1 commit into from Mar 26, 2024
Merged

[v14] Quote user supplied inputs provided to scripts to avoid RCE #39838

merged 1 commit into from Mar 26, 2024

Conversation

jentfoo
Copy link
Contributor

@jentfoo jentfoo commented Mar 26, 2024

Backport #39644 to branch/v14 (minor conflicts with missing aws join implementations)

changelog: Fix for possible phishing links which could result in code execution with install and join scripts

@jentfoo
Quote user supplied inputs provided to scripts to avoid RCE (#39644)
bd02819 
* Quote user supplied inputs provided to scripts to avoid RCE

This change introduces the func `utils.UnixShellQuote` which will quote any inputs which could potentially allow execution or script escape.
This is utilized to ensure that scripts produced from a potential Phishing link could not contain code execution which may expose a user.

* awsAccessGraphOIDCSync: Ensure role parameter is quoted correctly

* join_tokens: Move shell quote to `getJoinScript` rather than where parameters are extracted

This will increase safety moving forward, but it requires a more conservative quoting strategy.
@jentfoo jentfoo self-assigned this Mar 26, 2024
@jentfoo jentfoo added this pull request to the merge queue Mar 26, 2024
Merged via the queue into branch/v14 with commit f0823d3 Mar 26, 2024
26 checks passed
@jentfoo jentfoo deleted the jent/script_param_rce_fix-v14 branch March 26, 2024 16:06
@tcsc tcsc mentioned this pull request Mar 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@tigrato tigrato tigrato approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

@jentfoo jentfoo

Labels
backport size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jentfoo @marcoandredinis @tigrato @rosstimothy