fix: escape shell arguments in SDE import command to prevent command injection#447
Open
cchopin wants to merge 1 commit into
Open
fix: escape shell arguments in SDE import command to prevent command injection#447cchopin wants to merge 1 commit into
cchopin wants to merge 1 commit into
Conversation
cchopin
force-pushed
the
fix/sde-command-injection
branch
from
ff5fc81 to
298e00b
Compare
…injection All values interpolated into the mysql and pg_restore shell commands (username, password, host, port, database, file path, table names) are now wrapped with escapeshellarg() to prevent shell injection if any configuration value contains special characters.
cchopin
force-pushed
the
fix/sde-command-injection
branch
from
298e00b to
4cafa90
Compare
Contributor
|
Thank you for the report. We will investigate it further. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix: Command Injection in SDE Update Command
Vulnerability
The
seat:eve:update:sdeArtisan command builds amysqlshell command by directly concatenating user-supplied options (database host, user, password, name) without escaping:Impact
An administrator running this command with malicious or unexpected characters in CLI options could trigger unintended shell execution. While this command requires administrative access to run, proper shell escaping is a fundamental security practice that prevents unexpected behavior from special characters (spaces, quotes, semicolons, backticks) in any configuration value.
Examples of inputs that would cause unexpected behavior without escaping:
my database→ splits into two shell tokens$(...)→ triggers command substitution;→ allows command chainingFix
Wrapped all dynamic values passed to shell commands with
escapeshellarg(), which correctly quotes and escapes the value for safe use as a single shell argument regardless of its content.This fix covers both the MySQL and PostgreSQL import paths, including:
importMysqlSde(): username, password (replacing the incorrectescapeshellcmd()usage), host, port, database name, and the extracted SQL file pathimportPgSqlSde(): password (inPGPASSWORDenv var assignment), database name, host, port, username, table names, and the extracted dump file pathReferences