Description
The function validate_command_network_egress() (validation.py:515-594) inspects every command argument for network destinations against the safe-mode + network policy configuration. However, it is never imported or invoked anywhere in the execution pipeline (executor.py or routes.py). While the primary target field is validated at executor.py:296-351, secondary plugin fields like proxy, virtual_host, config_file, and user_agent can contain arbitrary network destinations that bypass target validation entirely. For example, the nikto plugin's proxy field could be used to route connections through an attacker-controlled proxy without any validation.
Files Affected
secuscan/core/validation.py — validate_command_network_egress() definition (lines 515-594)secuscan/core/executor.py — execute_task() where the function should be called but isn't
Expected Behavior
Before spawning any subprocess, every command argument should be inspected for network destinations. If a plugin field like proxy, virtual_host, or config_file contains a network host, it should be validated against the network policy just like the primary target field.
Actual Behavior
validate_command_network_egress() is defined but never called. Secondary plugin fields bypass all network policy validation. An attacker can use the proxy field (or similar) to route scanner traffic through arbitrary hosts.
Steps to Reproduce
- Configure a scan with a plugin that has a
proxy field (e.g., nikto)
- Set the proxy to an arbitrary external host not in the allowlist
- Disable the primary target validation check
- Execute the scan
- Observe that the scan connects through the unvalidated proxy host
- Confirm
validate_command_network_egress is never called by adding a breakpoint
Impact
An attacker who can control scan parameters (or a plugin with exploitable fields) can route scanner traffic through arbitrary hosts, bypassing the entire safe-mode network policy. This is a high-severity vulnerability in a security tool where the safe mode is a core feature.
Fix Required
Wire validate_command_network_egress() into executor.py's execute_task() before spawning the subprocess. Each argument from plugin configurations needs to be checked against the network policy. The function itself may also need adjustments to handle different argument formats from different plugins.
Description
The function
validate_command_network_egress()(validation.py:515-594) inspects every command argument for network destinations against the safe-mode + network policy configuration. However, it is never imported or invoked anywhere in the execution pipeline (executor.pyorroutes.py). While the primarytargetfield is validated atexecutor.py:296-351, secondary plugin fields likeproxy,virtual_host,config_file, anduser_agentcan contain arbitrary network destinations that bypass target validation entirely. For example, the nikto plugin'sproxyfield could be used to route connections through an attacker-controlled proxy without any validation.Files Affected
secuscan/core/validation.py—validate_command_network_egress()definition (lines 515-594)secuscan/core/executor.py—execute_task()where the function should be called but isn'tExpected Behavior
Before spawning any subprocess, every command argument should be inspected for network destinations. If a plugin field like
proxy,virtual_host, orconfig_filecontains a network host, it should be validated against the network policy just like the primarytargetfield.Actual Behavior
validate_command_network_egress()is defined but never called. Secondary plugin fields bypass all network policy validation. An attacker can use theproxyfield (or similar) to route scanner traffic through arbitrary hosts.Steps to Reproduce
proxyfield (e.g., nikto)validate_command_network_egressis never called by adding a breakpointImpact
An attacker who can control scan parameters (or a plugin with exploitable fields) can route scanner traffic through arbitrary hosts, bypassing the entire safe-mode network policy. This is a high-severity vulnerability in a security tool where the safe mode is a core feature.
Fix Required
Wire
validate_command_network_egress()intoexecutor.py'sexecute_task()before spawning the subprocess. Each argument from plugin configurations needs to be checked against the network policy. The function itself may also need adjustments to handle different argument formats from different plugins.