Skip to content

Golang: add rsync as a program capable of arbitrary shell command execution#11288

Merged
owen-mc merged 4 commits into
github:mainfrom
pwntester:new_sudo_like_argument
Dec 7, 2022
Merged

Golang: add rsync as a program capable of arbitrary shell command execution#11288
owen-mc merged 4 commits into
github:mainfrom
pwntester:new_sudo_like_argument

Conversation

@pwntester
Copy link
Copy Markdown
Contributor

@pwntester pwntester commented Nov 16, 2022
edited by smowton
Loading

Add rsync since both --rsh and --rsync-path admit commands

@pwntester pwntester requested a review from a team as a code owner November 16, 2022 10:07
@github-actions github-actions Bot added the Go label Nov 16, 2022
@smowton smowton changed the title new sudo like argument Golang: add rsync as a program capable of arbitrary shell command execution Nov 16, 2022
@smowton
Copy link
Copy Markdown
Contributor

smowton commented Nov 16, 2022

@pwntester please rebase so we only get one commit instead of a big merge. I think this would also be sensible to add to override predicate doubleDashIsSanitizing() in SystemCommandExecutors.qll, since I think "rsync ... -- " + userData would be as safe as letting someone control an rsync could ever be?

@smowton
Copy link
Copy Markdown
Contributor

smowton commented Nov 16, 2022

Please add a test case to https://github.com/github/codeql/tree/main/go/ql/test/query-tests/Security/CWE-078 too

@pwntester pwntester force-pushed the new_sudo_like_argument branch 2 times, most recently from c08b994 to 1459edd Compare November 17, 2022 11:03
@pwntester
Copy link
Copy Markdown
Contributor Author

pwntester commented Nov 17, 2022

@smowton let me know if it looks better now. Would it make sense to share these lists of commands with other languages in a shared qlpack or similar?

smowton
smowton previously approved these changes Nov 17, 2022
View reviewed changes
@smowton
Copy link
Copy Markdown
Contributor

smowton commented Nov 17, 2022

Wants a change-note, otherwise looks good

@owen-mc
Copy link
Copy Markdown
Contributor

owen-mc commented Nov 17, 2022

@pwntester The tests are failing because it doesn't like your declaration of a function namedhandler - there's already one in another file in the same folder. Also you need to rebase your branch onto main.

@pwntester pwntester force-pushed the new_sudo_like_argument branch from 3ec6d14 to 8a27660 Compare November 18, 2022 08:43
@owen-mc
Copy link
Copy Markdown
Contributor

owen-mc commented Dec 6, 2022

@pwntester Are you happy to merge this?

@pwntester
Copy link
Copy Markdown
Contributor Author

pwntester commented Dec 7, 2022

@owen-mc sure! I cant merge it though

@owen-mc owen-mc merged commit 2ed8d5d into github:main Dec 7, 2022
@owen-mc
Copy link
Copy Markdown
Contributor

owen-mc commented Dec 7, 2022

@pwntester Ah, I didn't realise. I've done it now. Feel free to prod us if it looks like we've forgotten a PR, especially if it's ready to be merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@owen-mc owen-mc owen-mc approved these changes

@smowton smowton smowton left review comments

Assignees

No one assigned

Labels

documentation Go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pwntester @smowton @owen-mc