Commit ed3fae1
committed
Escape all knife wrapper arguments to prevent shell command injection
The org/user management commands in wrap-knife.rb build a knife command
as a single string that is run through a shell via run_command. Each
argument was passed through Shellwords.escape EXCEPT arguments
containing '=', which were concatenated verbatim:
if arg.include?('=')
arg
else
Shellwords.escape(arg)
end
The '=' carve-out was intended to preserve "key=value" config options,
but it lets any argument containing '=' inject arbitrary shell syntax.
For example a field value such as "x=y; <command>" would have its
metacharacters interpreted by the shell instead of being passed to
knife as a literal argument.
Escape every argument unconditionally. Shellwords.escape leaves benign
characters such as '=' untouched, so legitimate "key=value" options
continue to work while shell metacharacters are neutralized.
Signed-off-by: Tim Smith <tsmith84@proton.me>1 parent b28ea69 commit ed3fae1
1 file changed
Lines changed: 6 additions & 9 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
117 | 117 | | |
118 | 118 | | |
119 | 119 | | |
120 | | - | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
121 | 125 | | |
122 | | - | |
123 | | - | |
124 | | - | |
125 | | - | |
126 | | - | |
127 | | - | |
128 | | - | |
129 | | - | |
| 126 | + | |
130 | 127 | | |
131 | 128 | | |
132 | 129 | | |
| |||
0 commit comments