Command Injection: in nasa/fprime
Jun 27th 2022
cookiecutter is a command-line utility that creates projects from cookiecutters.
Affected versions of this package are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Proof of Concept
from cookiecutter.main import cookiecutter checkout = "--config=alias.checkout=!touch ./HELLO" cookiecutter('some valid hg repository', checkout=checkout)
Arbitrary code execution -->
Ability to run any commands or code of the choice