Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Golang: add rsync as a program capable of arbitrary shell command execution #11288

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Golang: add rsync as a program capable of arbitrary shell command execution #11288

wants to merge 3 commits into from
+24 −2

Conversation

pwntester
Copy link
Contributor

@pwntester pwntester commented Nov 16, 2022
edited by smowton

Add rsync since both --rsh and --rsync-path admit commands

@pwntester pwntester requested a review from a team as a code owner Nov 16, 2022
@github-actions github-actions bot added the Go label Nov 16, 2022
@smowton smowton changed the title new sudo like argument Golang: add rsync as a program capable of arbitrary shell command execution Nov 16, 2022
@smowton
Copy link
Contributor

smowton commented Nov 16, 2022

@pwntester please rebase so we only get one commit instead of a big merge. I think this would also be sensible to add to override predicate doubleDashIsSanitizing() in SystemCommandExecutors.qll, since I think "rsync ... -- " + userData would be as safe as letting someone control an rsync could ever be?

@smowton
Copy link
Contributor

smowton commented Nov 16, 2022

Please add a test case to https://github.com/github/codeql/tree/main/go/ql/test/query-tests/Security/CWE-078 too

@pwntester pwntester force-pushed the new_sudo_like_argument branch 2 times, most recently from c08b994 to 1459edd Compare Nov 17, 2022
@pwntester
Copy link
Contributor Author

pwntester commented Nov 17, 2022

@smowton let me know if it looks better now. Would it make sense to share these lists of commands with other languages in a shared qlpack or similar?

smowton
smowton previously approved these changes Nov 17, 2022
View changes
@smowton
Copy link
Contributor

smowton commented Nov 17, 2022

Wants a change-note, otherwise looks good

@owen-mc
Copy link
Contributor

owen-mc commented Nov 17, 2022

@pwntester The tests are failing because it doesn't like your declaration of a function namedhandler - there's already one in another file in the same folder. Also you need to rebase your branch onto main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@owen-mc owen-mc

@smowton smowton

Assignees
No one assigned
Labels
documentation Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pwntester @smowton @owen-mc