You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the functions below in virtualbox.js, could allow for a user to inject additional commands with the cmd variable (ex: "; pwd") resulting in remote command execution assuming this was public facing.
function vboxcontrol(cmd, callback) {
command('VBoxControl ' + cmd, callback);
}
function vboxmanage(cmd, callback) {
command(vBoxManageBinary + cmd, callback);
}
The text was updated successfully, but these errors were encountered:
This is certainly true. However, we never expected that these API would ever directly consume public, unfiltered input. As such, node-virtualbox affords no protection against it.
It shouldn't really be the responsibility of node-virtualbox to police input, because:
We have no idea what virtual environment might be running behind the API, and
We have no idea and take no opinion about what the developer chooses to do with their virtual environment: maybe someone actually does need to be able to run sudo rm -rf / for some reason.
We should therefore remain un-opinionated with regard to how the API is used.
Thank you for bringing this up. At the very least, I could add a note in the README to underline this behaviour for those who may not be aware.
the functions below in virtualbox.js, could allow for a user to inject additional commands with the cmd variable (ex: "; pwd") resulting in remote command execution assuming this was public facing.
The text was updated successfully, but these errors were encountered: