Skip to content

fix/snapshot: prevent OS command injection via targets file#1351

Merged
cbrnrd merged 3 commits into
mainfrom
carterbrainerd-vuln-100-src-snapshot-run-allows-os-command-injection-via-malicious
Jul 8, 2026
Merged

fix/snapshot: prevent OS command injection via targets file#1351
cbrnrd merged 3 commits into
mainfrom
carterbrainerd-vuln-100-src-snapshot-run-allows-os-command-injection-via-malicious

Conversation

@cbrnrd

@cbrnrd cbrnrd commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Problem

src snapshot databases/restore --run built shell command strings by interpolating untrusted YAML fields (target, dbname, username, password) and executed them via exec.Command("bash", "-c", c), allowing shell-metacharacter injection. This could allow a malicious YAML author to run commands on a user's machine.

Solution

Don't use bash -c anymore!

Reworked internal/pgdump/pgdump.go to build commands as argv arrays instead of shell strings:

  • Added a Command struct (Env, Args, InputFile, OutputFile) with a Run() that executes directly via exec.Command(args[0], args[1:]...) and does file redirection in Go (ie no bash -c).
  • DumpCommand/RestoreCommand now return (args, env []string), so each untrusted value is a discrete argv element (e.g. --host=<target>, --dbname=<value>, PGPASSWORD in env).
  • For docker/kubectl builders, the target is a separate argv element and the nested sh -c/bash -c inner command is safely shell-quoted (shellQuote/shellQuoteEnv), preventing injection even inside the container.

Test plan

CI, net-new unit tests

@andreeleuterio andreeleuterio left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's get some eyes from @jac (or someone he points to)

@jac jac left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't looked at this in years but it looks good to me 👍🏻

@cbrnrd cbrnrd enabled auto-merge (squash) July 8, 2026 19:06
@cbrnrd cbrnrd merged commit b917d53 into main Jul 8, 2026
8 checks passed
@cbrnrd cbrnrd deleted the carterbrainerd-vuln-100-src-snapshot-run-allows-os-command-injection-via-malicious branch July 8, 2026 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants