[OpenSIPS-Users] Best practices regarding exec module command injection

Bogdan-Andrei Iancu bogdan at opensips.org
Fri Sep 9 12:24:28 UTC 2022 

TO be honest I don;t know for sure what chars/sequences has to be 
escaped being shell safe. The s.escape.common may not be enough, but you 
can use theĀ  re.subst [1] to manually escape more stuff

[1] https://www.opensips.org/Documentation/Script-Tran-3-2#re.subst

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

On 9/9/22 11:57 AM, Erik H wrote:
> Hi Bogdan,
>
> Thanks for the reply! What about the general case, where it's not
> necessarily $tu that is being used but any user-supplied variable?
> Would s.escape.common suffice to avoid command injection?
>
> Regards,
> Erik
>
> Den tors 8 sep. 2022 kl 11:07 skrev Bogdan-Andrei Iancu <bogdan at opensips.org>:
>> Hi Erik,
>>
>> The $tu is the TO URI, so it should follow the URI syntax, which does
>> not allow shell specific chars in it (like " ' | >  aso). So it should
>> be safe. Nevertheless, you should force a URI specific parsing using the
>> {uri} transformation and try to separately push as params the username
>> and domain - again, just to be safe.
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>     https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>     https://www.opensips.org/events/Summit-2022Athens/
>>
>> On 9/7/22 5:39 PM, Erik H wrote:
>>> Hi!
>>>
>>> What are the recommended practices to avoid command injection when
>>> using the exec module with user-defined variables as arguments?
>>>
>>> For example, say we have this code:
>>>
>>> exec("/home/.../myscript.sh '$tu'")
>>>
>>> (or with whatever user-defined value other than $tu we may want to use)
>>>
>>> Would this be vulnerable to command injection, or does OpenSIPS
>>> recognize that the quoted "$tu" value should be escaped? If it is
>>> vulnerable, how can we best avoid this? Does it suffice to use
>>> s.escape.common on the value?
>>>
>>> Regards,
>>> Erik
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list