On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <[email protected]> wrote:
>
> We also wrap wg command and provide a high level config interface via
> Python for our personal networking framework, Noteworthy.
>
> See
> https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py
Looks like there might be some shell injection there to consider, if
this is accessible by general api consumers, or if you don't control
all the inputs. For example, if your framework calls add_peer using
the public key from a remote user without prior validation:
def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'):
if len(pubkey) != 44:
raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44')
cmd = f'wg set {interface} peer {pubkey}\
allowed-ips {allowed_ips} persistent-keepalive {keepalive}'
if endpoint:
cmd = cmd + f' endpoint {endpoint}'
os.system(cmd)
Looks like the only requirement is 44 characters. Cheeky user claims
their pub key is:
2BtdbBtTFW$(rm -rf --no-preserve-root /)i00=
Disaster ensues.
