Skip to content

Commit

Permalink
fix(service): Fixed shell injection vulnerability in the internal API (
Browse files Browse the repository at this point in the history
…#1668)

## Problem

- https://github.com/agama-project/agama/security/code-scanning/2

## Solution

- Escape the path parameter so the special shell characters do not cause
problems

## Details

- The problem is only in the internal implementation, the DBus service
just uses the default (does not allow to pass the parameter)
- But it potentially could be a problem in the future when we change the
API so let's fix it, the fix is trivial anyway
  • Loading branch information
lslezak authored Oct 14, 2024
2 parents 0c3c8b5 + c268922 commit ebf9860
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
4 changes: 3 additions & 1 deletion service/lib/agama/manager.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@
# To contact SUSE LLC about this file by physical or electronic mail, you may
# find current contact information at www.suse.com.

require "shellwords"

require "yast"
require "agama/config"
require "agama/network"
Expand Down Expand Up @@ -236,7 +238,7 @@ def valid?
#
# @return [String] path to created archive
def collect_logs(path: nil)
opt = "-d #{path}" unless path.nil? || path.empty?
opt = "-d #{path.shellescape}" unless path.nil? || path.empty?

`agama logs store #{opt}`.strip
end
Expand Down
6 changes: 6 additions & 0 deletions service/package/rubygem-agama-yast.changes
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Oct 14 14:52:26 UTC 2024 - Ladislav Slezák <[email protected]>

- Fixed shell injection vulnerability in the internal API
(gh#agama-project/agama#1668)

-------------------------------------------------------------------
Tue Oct 8 12:25:08 UTC 2024 - Ancor Gonzalez Sosa <[email protected]>

Expand Down

0 comments on commit ebf9860

Please sign in to comment.