Thanks, Jason, good catch. In Noteworthy we control both sides of the API but I'll get this fixed in case someone else happens to use this.
On Thu, Aug 27, 2020 at 3:35 AM Jason A. Donenfeld <[email protected]> wrote: > > On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <[email protected]> wrote: > > > > We also wrap wg command and provide a high level config interface via > > Python for our personal networking framework, Noteworthy. > > > > See > > https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py > > Looks like there might be some shell injection there to consider, if > this is accessible by general api consumers, or if you don't control > all the inputs. For example, if your framework calls add_peer using > the public key from a remote user without prior validation: > > def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'): > if len(pubkey) != 44: > raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44') > cmd = f'wg set {interface} peer {pubkey}\ > allowed-ips {allowed_ips} persistent-keepalive {keepalive}' > if endpoint: > cmd = cmd + f' endpoint {endpoint}' > os.system(cmd) > > Looks like the only requirement is 44 characters. Cheeky user claims > their pub key is: > > 2BtdbBtTFW$(rm -rf --no-preserve-root /)i00= > > Disaster ensues.
