Merge commit from fork

Fix command injection in waf_detector tool
yogeshojha · Jul 23, 2024 · edd3c85 · edd3c85
2 parents d74fa1f + dbf7299
commit edd3c85
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 7 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -38,6 +38,10 @@ Thank you for helping to keep reNgine and its users safe!
 
 Thanks to these individuals for reporting Security Issues in reNgine.
 
+### 2024
+
+* [HIGH] [Command Injection](https://github.com/yogeshojha/rengine/security/advisories/GHSA-fx7f-f735-vgh4) in Waf Detector, Reported by [n-thumann](https://github.com/n-thumann)
+
 ### 2022
 
 * [HIGH] [Blind command injection](https://huntr.dev/bounties/b255cf59-9ecd-4255-b9a2-b40b5ec6c572/) in CMS Detector, Reported by [Abdulrahman Abdullah](https://github.com/ph33rr)

diff --git a/web/api/views.py b/web/api/views.py
@@ -1,7 +1,6 @@
 import logging
 import re
 import socket
-import subprocess
 from ipaddress import IPv4Network
 
 import requests
@@ -269,12 +268,15 @@ def get(self, request):
 		response = {}
 		response['status'] = False
 
+		# validate url as a first step to avoid command injection
+		if not (validators.url(url) or validators.domain(url)):
+			response['message'] = 'Invalid Domain/URL provided!'
+			return Response(response)
+
 		wafw00f_command = f'wafw00f {url}'
-		output = subprocess.check_output(wafw00f_command, shell=True)
-		# use regex to get the waf
-		regex = "behind \\\\x1b\[1;96m(.*)\\\\x1b"
-		group = re.search(regex, str(output))
-
+		_, output = run_command(wafw00f_command, remove_ansi_sequence=True)
+		regex = r"behind (.*?) WAF"
+		group = re.search(regex, output)
 		if group:
 			response['status'] = True
 			response['results'] = group.group(1)
@@ -1155,6 +1157,11 @@ def get(self, request):
 		url = req.query_params.get('url')
 		#save_db = True if 'save_db' in req.query_params else False
 		response = {'status': False}
+
+		if not (validators.url(url) or validators.domain(url)):
+			response['message'] = 'Invalid Domain/URL provided!'
+			return Response(response)
+
 		try:
 			# response = get_cms_details(url)
 			response = {}

diff --git a/web/reNgine/tasks.py b/web/reNgine/tasks.py
@@ -3840,7 +3840,7 @@ def query_whois(ip_domain, force_reload_whois=False):
 		netlas_key = get_netlas_key()
 		command += f' -a {netlas_key}' if netlas_key else ''
 
-		result = subprocess.check_output(command.split()).decode('utf-8')
+		_, result = run_command(command, remove_ansi_sequence=True)
 		if 'Failed to parse response data' in result:
 			# do fallback
 			return {