Skip to content

Golang: add rsync as a program capable of arbitrary shell command execution #11288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
owen-mc merged 4 commits into from
Dec 7, 2022
Merged

Golang: add rsync as a program capable of arbitrary shell command execution #11288

owen-mc merged 4 commits into from
Dec 7, 2022

Conversation

@pwntester
Copy link
Contributor

@pwntester pwntester commented Nov 16, 2022
edited by smowton
Loading

Add rsync since both --rsh and --rsync-path admit commands

@pwntester pwntester requested a review from a team as a code owner November 16, 2022 10:07
@github-actions github-actions bot added the Go label Nov 16, 2022
@smowton smowton changed the title new sudo like argument Golang: add rsync as a program capable of arbitrary shell command execution Nov 16, 2022
@smowton
Copy link
Contributor

smowton commented Nov 16, 2022

@pwntester please rebase so we only get one commit instead of a big merge. I think this would also be sensible to add to override predicate doubleDashIsSanitizing() in SystemCommandExecutors.qll, since I think "rsync ... -- " + userData would be as safe as letting someone control an rsync could ever be?

@smowton
Copy link
Contributor

smowton commented Nov 16, 2022

Please add a test case to https://github.com/github/codeql/tree/main/go/ql/test/query-tests/Security/CWE-078 too

@pwntester pwntester force-pushed the new_sudo_like_argument branch 2 times, most recently from c08b994 to 1459edd Compare November 17, 2022 11:03
@pwntester
Copy link
Contributor Author

pwntester commented Nov 17, 2022

@smowton let me know if it looks better now. Would it make sense to share these lists of commands with other languages in a shared qlpack or similar?

smowton
smowton previously approved these changes Nov 17, 2022
View reviewed changes
@smowton
Copy link
Contributor

smowton commented Nov 17, 2022

Wants a change-note, otherwise looks good

@owen-mc
Copy link
Contributor

owen-mc commented Nov 17, 2022

@pwntester The tests are failing because it doesn't like your declaration of a function namedhandler - there's already one in another file in the same folder. Also you need to rebase your branch onto main.

@pwntester pwntester force-pushed the new_sudo_like_argument branch from 3ec6d14 to 8a27660 Compare November 18, 2022 08:43
@owen-mc
Copy link
Contributor

owen-mc commented Dec 6, 2022

@pwntester Are you happy to merge this?

@pwntester
Copy link
Contributor Author

pwntester commented Dec 7, 2022

@owen-mc sure! I cant merge it though

@owen-mc owen-mc merged commit 2ed8d5d into github:main Dec 7, 2022
@owen-mc
Copy link
Contributor

owen-mc commented Dec 7, 2022

@pwntester Ah, I didn't realise. I've done it now. Feel free to prod us if it looks like we've forgotten a PR, especially if it's ready to be merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@owen-mc owen-mc owen-mc approved these changes

@smowton smowton smowton left review comments

Assignees

No one assigned

Labels

documentation Go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pwntester @smowton @owen-mc