[I] Missing `--` Separator and Unsafe Argument Order in `sbomqs` Execution (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:11 -0700 


asf-tooling opened a new issue, #988:
URL: https://github.com/apache/tooling-trusted-releases/issues/988

   **ASVS Level(s):** [L1]
   
   **Description:**
   
   ### Summary
   The `sbomqs` command execution places the filename as a positional argument 
before the `--json` flag without using a `--` separator. This creates a 
vulnerability where filenames starting with `-` could be interpreted as 
command-line options rather than file arguments. The vulnerable code executes: 
`sbomqs score <filename> --json`. A file named `-version.cdx.json` would pass 
`safe.RelPath` validation (hyphen is allowed) but be interpreted as a flag. 
While parameterized execution prevents shell injection, the lack of `--` 
separator allows option injection.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/tasks/sbom.py:157-164` - sbomqs execution without -- separator
   
   The filename argument is placed before flags without a separator, allowing 
filenames starting with hyphens to inject options.
   
   ### Recommended Remediation
   Place flags before the filename and add `--` separator:
   
   ```python
   proc = await asyncio.create_subprocess_exec(
       'sbomqs',
       'score',
       '--json',
       '--',  # Separator
       full_path.name,
       stdout=asyncio.subprocess.PIPE,
       stderr=asyncio.subprocess.PIPE,
       cwd=full_path.parent
   )
   ```
   
   Additionally, add Pydantic field validator to re-validate `file_path` at 
deserialization:
   
   ```python
   @pydantic.field_validator('file_path')
   @classmethod
   def validate_file_path(cls, v: str) -> str:
       safe.RelPath(v)  # Re-validate
       return v
   ```
   
   ### Acceptance Criteria
   - [ ] -- separator added
   - [ ] Flags placed before filename
   - [ ] Pydantic validator added
   - [ ] Option injection prevented
   - [ ] Integration test verifies protection
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L1:1.2.5.md
   - Related findings: FINDING-211
   - ASVS sections: 1.2.5
   
   ### Priority
   Medium
   
   ---
   
   ---
   
   **Triage notes:** add validation for leading hyphens to safe.RelPath


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to