Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document lack of sanitization #22

Closed
RobertBerger5 opened this issue Nov 11, 2021 · 1 comment
Closed

Document lack of sanitization #22

RobertBerger5 opened this issue Nov 11, 2021 · 1 comment
Labels
wontfix

Comments

@RobertBerger5
Copy link

This code appears to use child processes but doesn't sanitize the input. A project I was working on used this code for something like the following to run something in a container of the user's choosing:

docker.command('run <...> -d ' + containerName).then(...)

If the user just entered a semicolon after the container name, they could easily inject/run arbitrary commands on the host machine.

It's easy enough to only allow valid container names and nothing more in this instance, but the problem was not knowing that there was no sanitization being done behind the scenes. A more ambitious goal might be to make sure no malicious user input can get through, but until that's implemented there should at least be a note in the documentation about it.
@mattqs mattqs added the wontfix label Nov 13, 2021
@mattqs mattqs closed this as completed Nov 13, 2021
@mattqs mattqs reopened this Nov 13, 2021
@mattqs
Copy link
Contributor

mattqs commented Nov 13, 2021
edited
Loading

DON'T USE THIS LIBRARY WITH USER INPUT!!!!

@mattqs mattqs closed this as completed Nov 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattqs @RobertBerger5