Skip to content

Latest commit

 

History

History
101 lines (82 loc) · 7.33 KB

vulnerabilities-workflow-1.md

File metadata and controls

101 lines (82 loc) · 7.33 KB

Vulnerability List

CSV Injection in Slice Flag Types allows Injection of Arbitrary Values

Description:

  1. The pflag library uses CSV parsing for slice flag types (IPSlice, BoolSlice, IPNetSlice, etc.) to process comma-separated values provided as command-line arguments.
  2. The *.Set functions (e.g., ipSliceValue.Set, boolSliceValue.Set, ipNetSliceValue.Set) in corresponding *_slice.go files utilize the readAsCSV function, which internally uses Go's standard csv.Reader.
  3. Although the code attempts to remove quotes before CSV parsing using strings.NewReplacer, this mitigation is insufficient.
  4. By crafting a malicious CSV input containing escaped quotes and commas, an attacker can inject arbitrary values into the list of parsed elements for these slice flags.
  5. If an application uses these parsed values for security decisions, such as access control, filtering or other logic, an attacker can bypass these controls or manipulate application behavior by injecting malicious values.

Impact: High

  • Successful exploitation allows an attacker to inject arbitrary values into the application's configuration via command-line flags that use slice types.
  • This can lead to:
    • Access Control Bypass (for IPSlice and IPNetSlice): If the application uses IPSlice or IPNetSlice flags to define allowed IP addresses or networks, an attacker can inject their IP address or network to gain unauthorized access to protected resources.
    • Logic Manipulation (for BoolSlice and other Slice types): For BoolSlice and other slice types, injection can manipulate application logic if the application relies on the parsed slice values for decision-making.
    • Data Injection: Attackers can inject arbitrary data into the application's data structures through command-line flags, potentially leading to unexpected behavior or further vulnerabilities depending on how the application processes this data.

Vulnerability Rank: High

Currently Implemented Mitigations:

  • Quote removal using strings.NewReplacer in *.Set functions in *_slice.go files (e.g., /code/ip_slice.go, /code/bool_slice.go, /code/ipnet_slice.go).
  • This mitigation is insufficient as it does not prevent advanced CSV injection techniques using escaped characters or other CSV syntax manipulations.

Missing Mitigations:

  • Robust CSV Input Sanitization: Implement proper input validation and sanitization for CSV inputs to all slice flag types. This should include:
    • Validating that each parsed value conforms to the expected data type (e.g., IP address for IPSlice, boolean for BoolSlice, IP network for IPNetSlice).
    • Properly handling and escaping special CSV characters (commas, quotes) to prevent injection.
    • Consider using a safer CSV parsing library or approach that is less susceptible to injection attacks, or avoid CSV parsing altogether if simpler parsing methods can be used.

Preconditions:

  • The target application must use the pflag library for command-line argument parsing.
  • The application must define and use slice flag types like IPSlice, BoolSlice, IPNetSlice, etc. to accept lists of values from the command line.
  • The application must rely on the values from these slice flags for security-sensitive operations or application logic.

Source Code Analysis:

  1. File: /code/ip_slice.go, /code/bool_slice.go, /code/ipnet_slice.go (and potentially other *_slice.go files)
  2. Function: ipSliceValue.Set(val string) error, boolSliceValue.Set(val string) error, ipNetSliceValue.Set(val string) error (and similar Set functions for other slice types)
  3. Vulnerable Code Block (Example from /code/ip_slice.go):
func (s *ipSliceValue) Set(val string) error {
    // remove all quote characters
    rmQuote := strings.NewReplacer(`"`, "", `'`, "", "`", "")

    // read flag arguments with CSV parser
    ipStrSlice, err := readAsCSV(rmQuote.Replace(val))
    if err != nil && err != io.EOF {
        return err
    }

    // parse ip values into slice
    out := make([]net.IP, 0, len(ipStrSlice))
    for _, ipStr := range ipStrSlice {
        ip := net.ParseIP(strings.TrimSpace(ipStr))
        if ip == nil {
            return fmt.Errorf("invalid string being converted to IP address: %s", ipStr)
        }
        out = append(out, ip)
    }
    ...
}

func readAsCSV(val string) ([]string, error) {
    if val == "" {
        return []string{}, nil
    }
    stringReader := strings.NewReader(val)
    csvReader := csv.NewReader(stringReader)
    return csvReader.Read()
}
  1. Explanation:
    • The Set functions for slice value types are responsible for parsing the string value provided to the flag.
    • They attempt to remove quotes using strings.NewReplacer before passing the value to readAsCSV.
    • The readAsCSV function uses csv.NewReader and csvReader.Read() to parse the input as a CSV record.
    • Vulnerability: The quote removal is not sufficient to prevent CSV injection. An attacker can craft a CSV string with escaped quotes and commas that will be parsed by csv.Reader to include malicious values, despite the quote removal attempt. The vulnerability is present in all slice types that use readAsCSV for parsing.

Security Test Case:

  1. Setup: Create a simple Go application that uses pflag and defines a BoolSlice flag named allowed-bools and an IPNetSlice flag named allowed-networks, in addition to the IPSlice flag allowed-ips from the previous test case. This application should simulate access control or logic based on these flags. For BoolSlice, simulate logic that behaves differently based on the boolean values. For IPNetSlice, simulate network-based access control.
  2. Initial Test (No Injection):
    • Run the application with --allowed-ips="127.0.0.1,192.168.1.1" --allowed-bools="true,false" --allowed-networks="192.168.1.0/24,10.0.0.0/16".
    • Verify that the application behaves as expected for valid inputs based on these flags.
  3. Injection Attempt (IPSlice): Run the application with a malicious payload for IPSlice CSV injection: --allowed-ips="127.0.0.1,\"8.8.8.8,10.10.10.10\",192.168.1.1".
  4. Injection Attempt (BoolSlice): Run the application with a malicious payload for BoolSlice CSV injection: --allowed-bools="true,\"false,true\",false".
  5. Injection Attempt (IPNetSlice): Run the application with a malicious payload for IPNetSlice CSV injection: --allowed-networks="192.168.1.0/24,\"172.16.0.0/12,10.0.0.0/8\",10.0.0.0/16".
  6. Verification:
    • For IPSlice, test access from the injected IP 10.10.10.10.
    • For BoolSlice, observe the application's behavior based on the injected boolean values (false,true injected as separate values).
    • For IPNetSlice, test access from an IP address within the injected network 10.0.0.0/8 (e.g., 10.0.0.1).
  7. Expected Result: If the vulnerability exists, the application will exhibit unexpected behavior due to the injected values:
    • For IPSlice, access from 10.10.10.10 will be allowed.
    • For BoolSlice, the application's logic will be manipulated by the injected booleans.
    • For IPNetSlice, access from 10.0.0.1 will be allowed.
  8. This demonstrates that CSV injection is possible across multiple slice flag types in pflag, allowing attackers to inject arbitrary values and manipulate application behavior.