Edge-home-orchestration-go: [Security] CWE-78 Command built from user-controlled sources

Created on 6 May 2021  ·  3Comments  ·  Source: lf-edge/edge-home-orchestration-go

CWE-78 security issue is detected by lgtm and CodeQL.
We need a process to check if the input that launches the native app contains a malicious string.

high priority
Source
picture t25kim
👍2

Most helpful comment

@tdrozdovsky What do you think of a suggestion from @t25kim?

picture MoonkiHong on 7 May 2021
👍2

All 3 comments

@tdrozdovsky What do you think of a suggestion from @t25kim?

MoonkiHong picture MoonkiHong on 7 May 2021
👍2

@tdrozdovsky This issue affects other PRs not related to CWE-78, such as #297 and should be fixed as soon as possible. I put some code for command validation before the code that launches the native app. However, CodeQL still detects CWE-78.
Is there any other way to resolve this issue? Or would it be possible to mark it as False positive with PR #299?

t25kim picture t25kim on 7 May 2021
👍1

Thank you for trying to eliminate this issue. Earlier, I wrote that there is a big vulnerability in the native mode, and then I was surprised that the system does not detect it. But now everything is displayed correctly and the vulnerability is detected.
This problem can be completely solved only at the system level using the mechanisms of protection of the Linux Kernel. But I will try to solve it within our project. As soon as I finish with the TLS, I immediately do this issue.

tdrozdovsky picture tdrozdovsky on 7 May 2021
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

t25kim picture t25kim  ·  7Comments
MoonkiHong picture MoonkiHong  ·  5Comments
t25kim picture t25kim  ·  3Comments
t25kim picture t25kim  ·  4Comments
MoonkiHong picture MoonkiHong  ·  5Comments