This repository has been archived by the owner on Aug 12, 2024. It is now read-only.

command injection is available #29

Open

nyasukun opened this issue Nov 22, 2015 · 3 comments

nyasukun commented Nov 22, 2015

put following command line in chat window;
/docker pull ;xxxx

xxxx can be executed in dockercraft server side.

Contributor

dave-tucker commented Nov 23, 2015

@nyasukun thanks for the report, but I can't seem to replicate the issue.
I've run /docker pull;echo "malicious code" > /go/foo.txt from the client, but that file doesn't appear on the server.
Can you suggest another example I can try?

Contributor

aduermael commented Nov 23, 2015

@nyasukun @dave-tucker I'm currently working on fixing #12, commands won't be transmitted the same way after that. But we should keep that issue open, we will still have to take care of possible command injection.

Author

nyasukun commented Nov 26, 2015

@dave-tucker plugin checks if docker command by looking 2nd arg. and command line is created with plus joined string.
so command should be /docker pull<space>;<some_single_command> to reproduce.

This issue is cased from using shell to contact with goproxy.
As @aduermael works, it seems to bypass a shell and this issue will be fixed automatically.

Thanks

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.