From 891693f7ce34f2183b38f8f1f39009c168ff45ac Mon Sep 17 00:00:00 2001
From: Andy Hartman <35241941+ahartma1@users.noreply.github.com>
Date: Mon, 8 Jul 2019 12:41:41 -0500
Subject: [PATCH] Update security.md

Arbitrary commands don't need to be embedded in terraform. One can run any command or set of commands from inside a terraform variable using the notation I show in my example. The Atlantis user itself should only be able run a small set of commands. I would suggest the permissions be limited to running terraform, reading and writing only to the data-dir, and only when the source is the git repository, and the other pieces of code used to interact with the Pull Request.
---
 runatlantis.io/docs/security.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/runatlantis.io/docs/security.md b/runatlantis.io/docs/security.md
index 5acc6bd83b..562c025ce7 100644
--- a/runatlantis.io/docs/security.md
+++ b/runatlantis.io/docs/security.md
@@ -56,3 +56,7 @@ Webhook secrets ensure that the webhook requests are actually coming from your V
 If you're using webhook secrets but your traffic is over HTTP then the webhook secrets
 could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file`
 flags.
+
+### Arbitrary command injection on comments
+Any user with the ability to comment on the merge request can run any Linux command available to the Linux Atlantis User. Be certain that the Atlantis user is secured as much as possible from running damaging commands.
+Example: terraform plan -- -var=$(rm -rf /)