fix(security): build container command as argv, not sh -c (CWE-78); bind Mysterium UI to localhost#51
Conversation
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
|
Warning Review limit reached
Next review available in: 51 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughDocker container command construction switches from a shell-string ( ChangesCommand argv safety
Bandwidth Service Address Binding
Estimated code review effort: 3 (Moderate) | ~25 minutes Related issues: None specified. Related PRs: None specified. Suggested labels: security, runtime, refactor Suggested reviewers: GeiserX 🐰 A shell escaped, no more sneaky quotes, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #51 +/- ##
==========================================
+ Coverage 61.91% 62.81% +0.89%
==========================================
Files 8 8
Lines 1783 1826 +43
==========================================
+ Hits 1104 1147 +43
Misses 597 597
Partials 82 82
🚀 New features to boost your workflow:
|
…ind Mysterium UI to localhost
The deploy path built the container command as sh -c "<substituted>", interpolating
user credentials into a shell string. Several catalog commands interpolate secrets
(honeygain, iproyal, traffmonetizer, packetshare), so a credential containing shell
metacharacters (; $() backticks | & quotes) or whitespace could break the deploy or
inject commands into the container (CWE-78).
buildCommandArgs now tokenizes the trusted maintainer template first (tokenizeCommand,
a quote-aware splitter with no expansion), then substitutes env per token, and passes
the result as config.Cmd with no shell -- a ${CRED} becomes exactly one inert argv
element regardless of its content. Empty command -> nil (image default preserved). This
also fixes a latent bug: argv is the intended '<entrypoint> -flag value' form, where the
old sh -c passed 'sh -c <flags>' to the image entrypoint.
Also binds Mysterium's UI/tequilapi to 127.0.0.1 (was 0.0.0.0, exposing the node control
API to the LAN under host networking); host-net + NET_ADMIN kept for VPN NAT traversal.
Verified: go build/vet/test -race green (tokenizer + injection unit tests); a live
busybox demo confirmed the old sh -c ran an injected ; command while the argv form keeps
it inert.
239950d to
1e391fd
Compare
Vulnerability (S3, CWE-78 command injection)
The deploy path built the container command as
config.Cmd = {"sh", "-c", substitute(command, env)}— user credentials interpolated into a shell string. Catalog commands that interpolate secrets:honeygain(-pass ${HONEYGAIN_PASSWORD}),iproyal(-password ${IPROYALPAWNS_PASSWORD}),traffmonetizer(--token ${TRAFFMONETIZER_TOKEN}),packetshare(-password=${...}). A credential containing;,$(), backtick, quote,&,|, or whitespace could break the deploy or inject commands into the container.Fix
buildCommandArgstokenizes the maintainer template first (trusted — only static flags +${VAR}placeholders), then substitutes env per token, and passes the result asconfig.Cmdwith no shell. A${CRED}becomes exactly one inert argv element regardless of its content.tokenizeCommandis a quote-aware POSIX-ish splitter (no expansion). Empty command →nil(image default preserved, as before).This also fixes a latent correctness bug: Docker
Cmdappends to the image ENTRYPOINT, so argv[-email, x, -pass, y]is the intended<binary> -email x -pass y; the oldsh -c "<flags>"passedsh -c …to the entrypoint (already broken for flag-style commands). Values with spaces (a device name "My Laptop") now stay one arg too.S2 — Mysterium management exposure
services/bandwidth/mysterium.ymlbound--ui.address=0.0.0.0 --tequilapi.address=0.0.0.0undernetwork_mode: host, exposing the node control UI/API (4449) to the LAN/VPS. Now127.0.0.1. Host-net +NET_ADMINkept (required for VPN NAT traversal; the collector uses the cloud API, not the local tequilapi).Verification
go build ./...,go vet ./...,go test -race ./...— all green (incl. newtokenizeCommand+ injection unit tests: a credentialp; rm -rf //$(x)/ backticks / space ends up as exactly one argv element).sh -cform executed an injected; <cmd>; the new argv form printed the identical value as one literal argument — no execution.Residual (non-blocking): per-DePIN-image argv-to-entrypoint spot-checks would need image pulls; the argv form is the standard Docker pattern and strictly better than the (already-broken)
sh -cform for these flag commands.Summary by CodeRabbit