Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate possible vulnerabilities when using subprocess in the framework/ directory #10144

Closed
13 tasks done
Tracked by #2330
mcarmona99 opened this issue Sep 15, 2021 · 1 comment · Fixed by #10740
Closed
13 tasks done
Tracked by #2330

Investigate possible vulnerabilities when using subprocess in the framework/ directory #10144

mcarmona99 opened this issue Sep 15, 2021 · 1 comment · Fixed by #10740
Assignees
@Kondent
Labels
module/framework type/enhancement New feature or request type/test

Comments

@mcarmona99
Copy link
Contributor

mcarmona99 commented Sep 15, 2021
edited

Description

With the test created in the issue wazuh/wazuh-qa#1615, some possible code flaws were found by Bandit.

In this issue we specify flaws regarding the use of subprocess calls in framework/.

In total, we have 11 possible vulnerabilities with the use of subprocess.

The last 5 vulnerabilities are also due to the use of subprocess but the difference is that these possible flaws were just telling to consider the possible security implications of importing subprocess, instead of its usage.

Vulnerability when using subprocess:

Issue text: subprocess call - check for execution of untrusted input.

More info.: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html

Vulnerability when importing subprocess:

Issue text: Consider possible security implications associated with subprocess module.

More info.: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess

We should investigate these results and see if they are real vulnerabilities.

Checks

wazuh/wazuh

  • Unit tests without failures. Updated and/or expanded if there are new functions/methods/outputs:
    • Cluster (framework/wazuh/core/cluster/tests/ & framework/wazuh/core/cluster/dapi/tests/)
    • Core (framework/wazuh/core/tests/)
    • SDK (framework/wazuh/tests/)
    • RBAC (framework/wazuh/rbac/tests/)
    • API (api/api/tests/)
  • API tavern integration tests without failures. Updated and/or expanded if needed (api/test/integration/):
    • Affected tests
    • Affected RBAC (black and white) tests
  • Review integration test mapping using the script (api/test/integration/mapping/integration_test_api_endpoints.json)
  • Review of spec.yaml examples and schemas (api/api/spec/spec.yaml)
  • Review exceptions remediation when any endpoint path changes or is removed (framework/wazuh/core/exception.py)
  • Changelog (CHANGELOG.md)

wazuh/wazuh-documentation

  • Migration from 3.X for changed endpoints (source/user-manual/api/equivalence.rst)
  • Update RBAC reference with new/modified actions/resources/relationships (source/user-manual/api/rbac/reference.rst)
@mcarmona99 mcarmona99 mentioned this issue Sep 15, 2021
Closed
2 tasks
@Kondent Kondent self-assigned this Nov 3, 2021
@Kondent Kondent mentioned this issue Nov 4, 2021
Merged
@Kondent
Copy link
Contributor

Kondent commented Nov 4, 2021

Update

I've finished the investigation on this issue. The report is available at related pull request.

Regards,
Alexis

@mcarmona99 mcarmona99 linked a pull request Nov 15, 2021 that will close this issue
Remove execute method from core/utils.py since it is not being used #10740
Merged
@mcarmona99 mcarmona99 mentioned this issue Dec 14, 2021
Closed
16 tasks
@Kondent Kondent mentioned this issue Dec 17, 2021
Merged
2 tasks
Kondent pushed a commit to wazuh/wazuh-qa that referenced this issue Dec 17, 2021
Fix flaw regarding subprocess calls - wazuh/wazuh#10144
2cc6f2d
Kondent pushed a commit to wazuh/wazuh-qa that referenced this issue Jan 3, 2022
Fix flaw regarding subprocess calls - wazuh/wazuh#10144
9c42f7c
Kondent pushed a commit to wazuh/wazuh-qa that referenced this issue Jan 3, 2022
Fix flaw regarding subprocess calls - wazuh/wazuh#10144
c50d444
davidjiglesias pushed a commit to wazuh/wazuh-qa that referenced this issue Jan 5, 2022
@Kondent
Fix flaw regarding subprocess calls - wazuh/wazuh#10144 (#2360)
ced8606
@Kondent Kondent mentioned this issue Feb 2, 2022
Closed
13 tasks
mcarmona99 pushed a commit to wazuh/wazuh-qa that referenced this issue Feb 4, 2022
@Kondent @mcarmona99
Fix flaw regarding subprocess calls - wazuh/wazuh#10144 (#2360)
be555bf
@vikman90 vikman90 added this to the Release 4.4.0 milestone Aug 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kondent Kondent

Labels
module/framework type/enhancement New feature or request type/test
Projects
No open projects
Release 4.4.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove execute method from core/utils.py since it is not being used wazuh/wazuh
4 participants
@vikman90 @vicferpoy @mcarmona99 @Kondent