Fix command injection in contrib/sge.py qsub command#3439
Open
nileshpatil6 wants to merge 1 commit into
Open
Conversation
job_name, parallel_env, outfile and errfile are all interpolated into a shell string that gets run with shell=True. job_name and parallel_env come straight from task parameters, so a task with a crafted job_name or parallel_env could inject arbitrary shell commands into the qsub call. Quote these values with shlex.quote before formatting them into the command string. Added a test that checks a job_name containing shell metacharacters ends up as a single quoted argument instead of being split by the shell. Refs spotify#3419 Signed-off-by: nileshpatil6 <technil6436@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follows up on #3419.
The bug is in
_build_qsub_commandinluigi/contrib/sge.py. It builds a shell string like:and runs it with
subprocess.check_output(submit_cmd, shell=True).job_nameandpecome directly fromSGEJobTaskparameters (job_name,job_name_format,parallel_env), which are user supplied.outfile/errfileare built fromshared_tmp_dirand the task id, which also come from parameters. None of these were escaped before being dropped into the shell string, so a task with something likejob_name = "foo; rm -rf ~"would run that command when the job got submitted.Fix: quote
job_name,pe,outfileanderrfilewithshlex.quotebefore formatting them into the qsub command.n_cpuis left alone since it's anIntParameter.Added a test in
test/contrib/sge_test.pythat builds a qsub command with ajob_namecontaining; touch /tmp/pwnedand checks thatshlex.spliton the qsub portion of the command sees it as one argument, not two.Tested with:
test_track_joband the newtest_build_qsub_command_quotes_untrusted_fieldspass.test_run_job_with_dumpandtest_run_jobfail on my machine because they hitos.fstatvfs, which doesn't exist on Windows, unrelated to this change (same failure on master before my patch).