Command Injection: in nasa/fprime

Valid

Reported on

Jun 27th 2022

Description

cookiecutter is a command-line utility that creates projects from cookiecutters.

Affected versions of this package are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Proof of Concept

from cookiecutter.main import cookiecutter 

checkout = "--config=alias.checkout=!touch ./HELLO" cookiecutter('some valid hg repository', checkout=checkout)

Impact

Arbitrary code execution --> Ability to run any commands or code of the choice

We are processing your report and will contact the nasa/fprime team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Joshua Anderson
a year ago

fprime-util new is vulnerable, but this isn't particularly concerning. Users shouldn't be using untrusted sources of cookiecutten templates for generating fprime components. Until this can be fixed this vulnerability should be publicly disclosed so that users know the risks of using untrusted templates.

7h3h4ckv157
a year ago

Researcher

Sir, can you please clarify this statement? :)

As far as I understood, now you too get about the vulnerability.

Kind regards,

7h3h4ckv157
a year ago

Researcher

I'm not privileged to disclose on this platform. @admin Can you favor this?

Jamie Slome
a year ago

Admin

@7h3h4ckv157 @joshua-anderson - this vulnerability report is now publicly accessible and can be shared freely 👍

7h3h4ckv157
a year ago

Researcher

@admin will I get my bounty for this one??

Jamie Slome
a year ago

Admin

It is really up to the maintainer. If they believe this to be a vulnerability against the project, we do generally recommend marking the report as valid, however, if it does not have significant enough of an impact such that it does not require a fix, we recommend marking it as informative.

@maintainer - thoughts?

7h3h4ckv157
a year ago

Researcher

I respect both options raised by the admin. But, IMHO I will recommend the 1st, coz You already detected it as a vulnerability. But the final choice is yours though! - @maintainer :)

Kind regards

7h3h4ckv157
a year ago

Researcher

@maintainer Any updates?

7h3h4ckv157 modified the report
a year ago
7h3h4ckv157 modified the report
a year ago
7h3h4ckv157
a year ago

Researcher

@admin - can you donate my bounty to the maintainer?

Jamie Slome
a year ago

Admin

Absolutely @Kiran - we can donate the bounty to the maintainer. Once the @Joshua has attached a fix to this report and selected themselves as the fixer, we can provide them with the bounty.

We have contacted a member of the nasa/fprime team and are waiting to hear back 7 months ago
nasa/fprime maintainer
7 months ago

We have upgraded to 2.1.1. This is the suggested fix.

7h3h4ckv157 submitted a
patch
7 months ago
7h3h4ckv157
7 months ago

Researcher

@Maintainer

Could you please validate this report ??

We have sent a follow up to the nasa/fprime team. We will try again in 7 days. 7 months ago
Pavlos modified the Severity from Critical (9.8) to Medium (6.8) 7 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Pavlos validated this vulnerability 7 months ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 3.2.0 with commit 8787fe 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
requirements.txt#L12 has been validated
to join this conversation