修复插件shell命令注入漏洞 #1316
Merged
修复插件shell命令注入漏洞 #1316
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
修复插件shell命令注入漏洞
Codecov Report
@@ Coverage Diff @@
## master #1316 +/- ##
=======================================
Coverage 78.01% 78.01%
=======================================
Files 78 78
Lines 12220 12220
=======================================
Hits 9534 9534
Misses 2686 2686
Continue to review full report at Codecov.
|
|
漏了通过实例信息注入的方式,待补充 |
修复插件shell命令注入漏洞 - 通过实例信息注入
Merged
hhyo
previously approved these changes
Jan 5, 2022
|
和上个pr的冲突需要解决一下 |
已处理 |
hhyo
approved these changes
Jan 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
相关issue:后端RCE
之前参数注入漏洞已经修复过,但是用同样的方法可以通过配置各个插件的path或实例信息来注入自定义命令
补充:
2. 或在实例信息中注入:
影响范围:
soar
binglog2sql
sqladvisor
binlog
instance
修复:
与参数一样使用shlex.quote处理path