You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pydpiper currently suffers from a number of command injection issues. This should be considered more a reliability than a security issue since Pydpiper is meant to be run by users and not offered as a service to arbitrary users, and anyway the potential fixes (e.g. quoting via shlex.quote) may not be entirely secure.
Known parts of Pydpiper where this is an issue:
as of 2.0.16, we use Jinja2 templates to generate most shell commands but don't use shell escaping in the templates;
the flags --executor-wrapper, --command-wrapper, and --use-singularity simply generate larger bash commands, losing one level of escaping in the nested (sub)-command;
we hand generate single quotesto escape the square brackets in ANTs commands; this seems unreliable and it would be nice not to have to do this (although in fact it's probably unnecessary since the square brackets don't actually get (mis)-interpreted even when passed through bash)
flags are currently passed to executors on the command line, which seems like a hack and should probably be changed;
The text was updated successfully, but these errors were encountered:
Pydpiper currently suffers from a number of command injection issues. This should be considered more a reliability than a security issue since Pydpiper is meant to be run by users and not offered as a service to arbitrary users, and anyway the potential fixes (e.g. quoting via
shlex.quote) may not be entirely secure.Known parts of Pydpiper where this is an issue:
The text was updated successfully, but these errors were encountered: