Add direct command Injection vulnerability (CWE-77, OWASP API 8)

[JBAhire]

Is your feature request related to a problem? Please describe.
Currently, we can use crAPI to demonstrate indirect command injection but we also want to add capabilities to demonstrate direct command injection.

Describe the solution you'd like
@piyushroshan , can you guide us here for a solution?

[afreen23]

Hello,
I am working on a solution for this,

[afreen23]

Hello @piyushroshan @JBAhire ,
Can we use the api /identity/api/v2/user/videos/convert_video for exposing this vulnerability since it requires to run conversion command in bash ?

crAPI/services/identity/src/main/java/com/crapi/service/Impl/ProfileServiceImpl.java

Lines 241 to 242 in ea6625d

	return new CRAPIResponse(
	bashCommand.executeBashCommand(profileVideo.getConversion_params()), 200);

Though I am not sure what command is passed there ⬆️ . Only params are being passed now:

crAPI/services/identity/src/main/java/com/crapi/entity/ProfileVideo.java

Line 31 in ea6625d

private String conversion_params = "-v codec h264";

While running on dev mode it kept saying "Failed to convert" since x-forwarded-host headers were missing.

crAPI/services/identity/src/main/java/com/crapi/service/Impl/ProfileServiceImpl.java

Lines 221 to 248 in ea6625d

	if (xForwardedHost == null) {
	if (videoId != null && videoId > 0) {
	Optional<ProfileVideo> optionalProfileVideo = profileVideoRepository.findById(videoId);
	if (optionalProfileVideo.isPresent() && block_shell_injections) {
	profileVideo = optionalProfileVideo.get();
	if (ProfileValidator.checkContains(profileVideo.getConversion_params())) {
	return new CRAPIResponse(UserMessage.CONVERSION_VIDEO_OK, 200);
	} else if (profileVideo.getConversion_params().equalsIgnoreCase("-v codec h264")) {
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_BASH_COMMAND_TRIGGERED, 200);
	} else if (!profileVideo.getConversion_params().equalsIgnoreCase("-v codec h264")) {
	if (ProfileValidator.checkSpecialCharacter(profileVideo.getConversion_params())) {
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500);
	}
	return new CRAPIResponse(UserMessage.YOU_WON_THE_GAME, 200);
	}
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500);
	} else if (optionalProfileVideo.isPresent()
	&& !block_shell_injections
	&& optionalProfileVideo.get().getConversion_params() != null) {
	profileVideo = optionalProfileVideo.get();
	return new CRAPIResponse(
	bashCommand.executeBashCommand(profileVideo.getConversion_params()), 200);
	}
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500);
	}
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_PARAM_IS_MISSING, 400);
	} else {
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_USE_ONLY, 403);

I am looking into this but if you have any pointers or other suggestions please guide.
Thanks!

[piyushroshan]

That's the indirect command injection in crAPI. We can for sure enhance in that direction. Since this is get request maybe provide a query param as conversion param in the get request that can invoke the same pipeline