[OpenSIPS-Users] Best practices regarding exec module command injection

Thu Sep 22 14:34:36 UTC 2022

Thanks Bogdan. I realized the escape approach will not work, since you
cannot escape single quotes (') within a single quoted string in bash.
So that rules out escaping, regardless of whether "s.escape.common" or
"re.subst" is used (unless we surround our variables with double
quotes, but that would mean escaping a whole bunch of different
characters with large room for error).

The "exec" module documentation has an example where "re.subst" is
instead used for removing single quotes altogether:

exec("update-stats.sh '$(ct{re.subst,/'//g})'");

However, that could change the content of the variable which might not
be desirable.

Perhaps the best option is to use the "envavp" parameter when calling
"exec", to pass the user-defined variables as ENV variables instead.
That would completely avoid the injection issue.

So another question regarding that, if that's ok:

exec has this form:

exec(command, [stdin], [stdout], [stderr], [envavp])

Since "[envavp]" is last in the parameter list: how would you pass in
the "envavp" parameter to "exec" without also using the "stdin",
"stdout" and "stderr" parameters? The exec call will block if "stdout"
is provided.

Reference: https://opensips.org/html/docs/modules/3.1.x/exec.html#func_exec

Regards,
Erik

Den fre 9 sep. 2022 kl 14:24 skrev Bogdan-Andrei Iancu <bogdan at opensips.org>:
>
> TO be honest I don;t know for sure what chars/sequences has to be
> escaped being shell safe. The s.escape.common may not be enough, but you
> can use the  re.subst [1] to manually escape more stuff
>
> [1] https://www.opensips.org/Documentation/Script-Tran-3-2#re.subst
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>    https://www.opensips-solutions.com
> OpenSIPS Summit 27-30 Sept 2022, Athens
>    https://www.opensips.org/events/Summit-2022Athens/
>
> On 9/9/22 11:57 AM, Erik H wrote:
> > Hi Bogdan,
> >
> > Thanks for the reply! What about the general case, where it's not
> > necessarily $tu that is being used but any user-supplied variable?
> > Would s.escape.common suffice to avoid command injection?
> >
> > Regards,
> > Erik
> >
> > Den tors 8 sep. 2022 kl 11:07 skrev Bogdan-Andrei Iancu <bogdan at opensips.org>:
> >> Hi Erik,
> >>
> >> The $tu is the TO URI, so it should follow the URI syntax, which does
> >> not allow shell specific chars in it (like " ' | >  aso). So it should
> >> be safe. Nevertheless, you should force a URI specific parsing using the
> >> {uri} transformation and try to separately push as params the username
> >> and domain - again, just to be safe.
> >>
> >> Regards,
> >>
> >> Bogdan-Andrei Iancu
> >>
> >> OpenSIPS Founder and Developer
> >>     https://www.opensips-solutions.com
> >> OpenSIPS Summit 27-30 Sept 2022, Athens
> >>     https://www.opensips.org/events/Summit-2022Athens/
> >>
> >> On 9/7/22 5:39 PM, Erik H wrote:
> >>> Hi!
> >>>
> >>> What are the recommended practices to avoid command injection when
> >>> using the exec module with user-defined variables as arguments?
> >>>
> >>> For example, say we have this code:
> >>>
> >>> exec("/home/.../myscript.sh '$tu'")
> >>>
> >>> (or with whatever user-defined value other than $tu we may want to use)
> >>>
> >>> Would this be vulnerable to command injection, or does OpenSIPS
> >>> recognize that the quoted "$tu" value should be escaped? If it is
> >>> vulnerable, how can we best avoid this? Does it suffice to use
> >>> s.escape.common on the value?
> >>>
> >>> Regards,
> >>> Erik
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.opensips.org
> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>