Security Concerns¶
Special care has to be taken when using parameters provided by the user when composing command line invocations.
Sanitizing user input is not a new problem, but in the case of Kapow!, we have to take into account also the way that the shell parses its arguments, as well as the way the command itself interprets them, in order to get it right.
Warning
It is imperative that the user input is sanitized properly if we are going feed it as a parameter to a command line program.
Example of Unsafe Parameter Handling¶
Let’s consider the following route:
#!/bin/sh
kapow route add /find -c <<-'EOF'
BASEPATH=$(kapow get /request/params/path)
find "$BASEPATH" | kapow set /response/body
EOF
The expected use for this endpoint is something like this:
$ curl http://kapow-host/find?path=/tmp
/tmp
/tmp/.X0-lock
/tmp/.Test-unix
/tmp/.font-unix
/tmp/.XIM-unix
/tmp/.ICE-unix
/tmp/.X11-unix
/tmp/.X11-unix/X0
Let’s suppose that a malicious attacker gets access to this service and makes this request:
$ curl http://kapow-host/find?path=-delete
Let’s see what happens:
The command that will eventually be executed by bash is:
find -delete | kapow set /response/body
This will silently delete all the files below the current directory, no questions asked. Probably not what you expected.
This happens because find has the last word on how to interpret its
arguments. For find, the argument -delete
is not a path.
Let’s see how we can handle this particular case:
#!/bin/sh
kapow route add /find -c <<-'EOF'
USERINPUT=$(kapow get /request/params/path)
BASEPATH=$(dirname -- "$USERINPUT")/$(basename -- "$USERINPUT")
find "$BASEPATH" | kapow set /response/body
EOF
Note
Since this is critical for keeping your Kapow! services secure, we are working on a way to make this more transparent and safe, while at the same time keeping it Kapowy.