Description
The Home fact constructs a shell command using an f-string with the user argument directly (f"echo ~{user}"). If the user argument is controlled by an attacker (e.g., via inventory data or a custom operation), they can inject arbitrary shell commands. The ~ expansion happens in the shell, meaning input like "; rm -rf /" would be interpreted as a separate command, leading to remote code execution on the target host.
File: src/pyinfra/facts/server.py
Suggested Fix
Use shlex.quote to properly escape the user input when constructing the shell command. For retrieving a user's home directory, getent passwd is a more robust and safer approach than relying on shell ~ expansion.
Description
The
Homefact constructs a shell command using an f-string with theuserargument directly (f"echo ~{user}"). If theuserargument is controlled by an attacker (e.g., via inventory data or a custom operation), they can inject arbitrary shell commands. The~expansion happens in the shell, meaning input like"; rm -rf /"would be interpreted as a separate command, leading to remote code execution on the target host.File:
src/pyinfra/facts/server.pySuggested Fix
Use
shlex.quoteto properly escape theuserinput when constructing the shell command. For retrieving a user's home directory,getent passwdis a more robust and safer approach than relying on shell~expansion.