Escape output file path in SQL dump shell commands#593
Open
flightlesstux wants to merge 1 commit intopassbolt:masterfrom
Open
Escape output file path in SQL dump shell commands#593flightlesstux wants to merge 1 commit intopassbolt:masterfrom
flightlesstux wants to merge 1 commit intopassbolt:masterfrom
Conversation
mysqlDump(), mariaDbDump(), and postgresDump() all passed the output redirection path ($dir . $file) directly into an exec() shell command without escaping. Every other argument in the same commands was already wrapped with escapeshellarg(), leaving only the output path unprotected. A path containing shell metacharacters (semicolons, pipes, backticks, etc.) could be leveraged for command injection. Although the path is derived from server configuration rather than direct user input, defence-in-depth requires all shell arguments to be properly escaped. Wrap $dir . $file with escapeshellarg() in all three dump methods.
|
|
Author
|
recheck |
Author
|
@cla-assistant recheck |
Member
|
Hey @flightlesstux, thanks for the PR. We have created an internal ticket to have a look at this (PB-50120). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
mysqlDump(),mariaDbDump(), andpostgresDump()inSqlExportCommandall construct a shell command usingexec(). Every argument passed to the dump utilities is correctly wrapped withescapeshellarg()— except the output redirection path:A path containing shell metacharacters (
;,|,&&, backticks) can break out of the redirection context and execute arbitrary shell commands in the context of the web server process.Fix
Wrap the concatenated output path with
escapeshellarg()to match the treatment of all other arguments:Applied consistently to all three dump methods:
mysqlDump,mariaDbDump,postgresDump.Impact