Page MenuHomeVyOS Platform

Prevent command injection in VyConf external validator execution
Closed, ResolvedPublicENHANCEMENT

Description

https://github.com/vyos/vyconf/blob/master/src/value_checker.ml#L13-L24

Right now there is no validation at all, and a malicious user could execute arbitrary code with a specially prepared value to be validated. Dangerous characters should be escaped to prevent this.

Details

Difficulty level
Easy (less than an hour)
Version
-
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible

Event Timeline

dmbaturin created this object with visibility "Public (No Login Required)".
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 7:10 AM
dmbaturin changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
dmbaturin set Is it a breaking change? to Perfectly compatible.