[OpenSIPS-Users] Best practices regarding exec module command injection

Erik H erikh998877 at gmail.com
Thu Sep 22 14:44:37 UTC 2022 

Hi again. Sorry, I should have read the documentation more carefully.
It has an example of such a scenario, with where stdin and envavp is
provided, and stdout and stderr are omitted:

exec("/home/../myscript.sh", "this is my $var(input) for exec\n", , ,
$avp(env));

Never mind then! Thanks for your help!

Regards,
Erirk

Den tors 22 sep. 2022 kl 16:34 skrev Erik H <erikh998877 at gmail.com>:
>
> Thanks Bogdan. I realized the escape approach will not work, since you
> cannot escape single quotes (') within a single quoted string in bash.
> So that rules out escaping, regardless of whether "s.escape.common" or
> "re.subst" is used (unless we surround our variables with double
> quotes, but that would mean escaping a whole bunch of different
> characters with large room for error).
>
> The "exec" module documentation has an example where "re.subst" is
> instead used for removing single quotes altogether:
>
> exec("update-stats.sh '$(ct{re.subst,/'//g})'");
>
> However, that could change the content of the variable which might not
> be desirable.
>
> Perhaps the best option is to use the "envavp" parameter when calling
> "exec", to pass the user-defined variables as ENV variables instead.
> That would completely avoid the injection issue.
>
> So another question regarding that, if that's ok:
>
> exec has this form:
>
> exec(command, [stdin], [stdout], [stderr], [envavp])
>
> Since "[envavp]" is last in the parameter list: how would you pass in
> the "envavp" parameter to "exec" without also using the "stdin",
> "stdout" and "stderr" parameters? The exec call will block if "stdout"
> is provided.
>
> Reference: https://opensips.org/html/docs/modules/3.1.x/exec.html#func_exec
>
> Regards,
> Erik
>
> Den fre 9 sep. 2022 kl 14:24 skrev Bogdan-Andrei Iancu <bogdan at opensips.org>:
> >
> > TO be honest I don;t know for sure what chars/sequences has to be
> > escaped being shell safe. The s.escape.common may not be enough, but you
> > can use the  re.subst [1] to manually escape more stuff
> >
> > [1] https://www.opensips.org/Documentation/Script-Tran-3-2#re.subst
> >
> > Regards,
> >
> > Bogdan-Andrei Iancu
> >
> > OpenSIPS Founder and Developer
> >    https://www.opensips-solutions.com
> > OpenSIPS Summit 27-30 Sept 2022, Athens
> >    https://www.opensips.org/events/Summit-2022Athens/
> >
> > On 9/9/22 11:57 AM, Erik H wrote:
> > > Hi Bogdan,
> > >
> > > Thanks for the reply! What about the general case, where it's not
> > > necessarily $tu that is being used but any user-supplied variable?
> > > Would s.escape.common suffice to avoid command injection?
> > >
> > > Regards,
> > > Erik
> > >
> > > Den tors 8 sep. 2022 kl 11:07 skrev Bogdan-Andrei Iancu <bogdan at opensips.org>:
> > >> Hi Erik,
> > >>
> > >> The $tu is the TO URI, so it should follow the URI syntax, which does
> > >> not allow shell specific chars in it (like " ' | >  aso). So it should
> > >> be safe. Nevertheless, you should force a URI specific parsing using the
> > >> {uri} transformation and try to separately push as params the username
> > >> and domain - again, just to be safe.
> > >>
> > >> Regards,
> > >>
> > >> Bogdan-Andrei Iancu
> > >>
> > >> OpenSIPS Founder and Developer
> > >>     https://www.opensips-solutions.com
> > >> OpenSIPS Summit 27-30 Sept 2022, Athens
> > >>     https://www.opensips.org/events/Summit-2022Athens/
> > >>
> > >> On 9/7/22 5:39 PM, Erik H wrote:
> > >>> Hi!
> > >>>
> > >>> What are the recommended practices to avoid command injection when
> > >>> using the exec module with user-defined variables as arguments?
> > >>>
> > >>> For example, say we have this code:
> > >>>
> > >>> exec("/home/.../myscript.sh '$tu'")
> > >>>
> > >>> (or with whatever user-defined value other than $tu we may want to use)
> > >>>
> > >>> Would this be vulnerable to command injection, or does OpenSIPS
> > >>> recognize that the quoted "$tu" value should be escaped? If it is
> > >>> vulnerable, how can we best avoid this? Does it suffice to use
> > >>> s.escape.common on the value?
> > >>>
> > >>> Regards,
> > >>> Erik
> > >>>
> > >>> _______________________________________________
> > >>> Users mailing list
> > >>> Users at lists.opensips.org
> > >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >

More information about the Users mailing list