• Ich, einfach anders
    link
    fedilink
    12
    edit-2
    9 months ago

    Tl;dr: std::process::Command is vulnerable to shell injection if you invoke cmd.exe or *.{cmd,bat} on Windows.

    • @[email protected]
      link
      fedilink
      119 months ago

      How so? This exploit requires running a shell command in a way that permits an attacker to control the arguments provided. That doesn’t seem like it would be particularly common in build scripts.

      • @[email protected]
        link
        fedilink
        2
        edit-2
        9 months ago

        I’m thinking an xz-style attack where a malicious actor submits an “improvement” with an innocuous-looking change to the build script that ends up running arbitrary commands. Running a batch script seems like a reasonable thing for a build script to do (e.g. to run something like i18n or whatever), and a lot of project devs may not know much about how batch scripts work (many devs are more familiar with Linux-compatible shell scripts), so it could slip through. The batch script itself could be innocuous and thus not be caught by a reviewer.

  • @[email protected]
    link
    fedilink
    1
    edit-2
    9 months ago

    Were there actually any real-world use-cases affected by this? Do any of them not deserve to be named and shamed irregardless of this vulnerability?

    If it was up to me, I would nuke the cmd custom implementation, leave some helpful compile error messages behind, and direct users to some 3rd party crates to choose from.

    • @[email protected]
      link
      fedilink
      5
      edit-2
      9 months ago

      What custom implementation? The escaping logic?

      Edit: to be clear, there is no “custom implementation” of cmd itself, nor is the problem exclusive to Rust. This is a problem with the Windows cmd itself.