Fix code injection vulnerability of getGroupsForUserCommand #17256
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thank you for your pull request. |
|
Automated checks report:
Some checks failed. Please fix the reported issues and reply 'alluxio-bot, check this please' to re-run checks. |
LetianYuan
changed the title
LetianYuan
changed the title
LetianYuan
force-pushed
the
fix_code_injection
branch
from
ad5bf26
to
4b5ec25
Compare
|
Automated checks report:
All checks passed! |
|
alluxio-bot, check this please |
|
Automated checks report:
All checks passed! |
|
FYI: @yyongycy |
|
Hi, guys, when will this bug fix be merged? |
yyongycy
reviewed
Sep 7, 2023
| List<String> userAllGroups = new ArrayList<>(); | ||
| userEffectiveGroups.add(userEffectiveGroup1); | ||
| userEffectiveGroups.add(userEffectiveGroup2); | ||
| userAllGroups.add(userAllGroup1); |
There was a problem hiding this comment.
Please add negative case like
ShellUtils.execCommand(ShellUtils.getEffectiveGroupsForUserCommand("| echo 123 ") to see if that works.
There was a problem hiding this comment.
Sorry. I'm not quite familiar with PowerMockito. These codes are written after my one-hour's quick learning. So, I don't know how to add a negative case.
If possible, I'll do more researches on PowerMockito. But I'm much busy now.
And it's welcome that you or someone else to give me a hand to add a negative case.
lucyge2022
reviewed
Feb 28, 2024
| */ | ||
| @Deprecated | ||
| public static String[] getGroupsForUserCommand(final String user) { | ||
| return new String[] {"bash", "-c", "id -gn " + user + "; id -Gn " + user}; | ||
| } |
There was a problem hiding this comment.
i think you can get rid of this function as it exposes vulnerability
lucyge2022
reviewed
Feb 28, 2024
add negative shellutil for "get effective group name from use"
lucyge2022
reviewed
Feb 28, 2024
| * @param user the user name | ||
| * @return the Unix command to get a given user's effective groups list | ||
| */ | ||
| public static String[] getEffectiveGroupsForUserCommand(final String user){ |
There was a problem hiding this comment.
Suggested change
| public static String[] getEffectiveGroupsForUserCommand(final String user){ | |
| public static String[] getEffectiveGroupsForUserCommand(final String user) { |
lucyge2022
reviewed
Feb 29, 2024
This was referenced Feb 29, 2024
alluxio-bot
pushed a commit
that referenced
this pull request
Mar 4, 2024
### What changes are proposed in this pull request? Port changes from [@LetianYuan](https://github.com/LetianYuan) in PR : #17256 in urgency for resolving injection vulnerability. ### Why are the changes needed? Resolve issue: https://nvd.nist.gov/vuln/detail/CVE-2023-38889 ### Does this PR introduce any user facing changes? No. pr-link: #18532 change-id: cid-de6273697887692ceda876d556e910bdd529d2ee
alluxio-bot
pushed a commit
that referenced
this pull request
Mar 4, 2024
### What changes are proposed in this pull request? Port changes from [@LetianYuan](https://github.com/LetianYuan) in PR : #17256 in urgency for resolving injection vulnerability. ### Why are the changes needed? Resolve issue: https://nvd.nist.gov/vuln/detail/CVE-2023-38889 ### Does this PR introduce any user facing changes? No. pr-link: #18536 change-id: cid-a8122e3ff3324f1a9d881f55cc425ab30a020c35
|
Merged as part of #18536 |
alluxio-bot
pushed a commit
that referenced
this pull request
Mar 12, 2024
### What changes are proposed in this pull request? Port changes from [@LetianYuan](https://github.com/LetianYuan) in PR : #17256 in urgency for resolving injection vulnerability. ### Why are the changes needed? Resolve issue: https://nvd.nist.gov/vuln/detail/CVE-2023-38889 ### Does this PR introduce any user facing changes? No. pr-link: #18532 change-id: cid-de6273697887692ceda876d556e910bdd529d2ee
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes are proposed in this pull request?
We split the
ShellUtils.getGroupsForUserCommandinto two seperate methodsShellUtils.getEffectiveGroupsForUserCommandandShellUtils.getAllGroupsForUserCommand. Then change the corresponding test cases.Why are the changes needed?
Executing commands like "bash -c some_command" will introduce code injection vulnerability.
For example, if
CommonUtils.getUnixGroups("| echo 123 ")is invoked, the whole command is truncated by|and "echo 123" will be executed.Therefore, the most simple way to fix it is to not to use "bash -c".
Does this PR introduce any user facing changes?
@Deprecatedis marked on theShellUtils.getGroupsForUserCommandin case some users' codes stongly rely on this method. But in the repositoryAlluxio/alluxio,ShellUtils.getGroupsForUserCommandis never used anymore. It is replaced byShellUtils.getEffectiveGroupsForUserCommandandShellUtils.getAllGroupsForUserCommand.