CVE-2022-45875 Vulnerable Codes - Writeup
Unrelated Nonsense
hi everyone, i kinda wanna post more because i have some active machine writeups that i'm saving to post... but writeups are kind of like filler content, cause i'm planning to carry out some sec research projects, at least one big one, so i've been looking more into past CVEs and learning some methodology. i just happened to stumble upon this site and it's still growing but cool! so something simple
Actual Writeup
CVE-2022-45875 Apache DolphinScheduler π¬β°
The following code snippet is part of a class in Apache DolphinScheduler. It is used to send alert messages by interacting with a shell script. Review the code to identify any potential concerns with its logic or implementation.
// https://github.com/apache/dolphinscheduler/blob/3.0.0-release/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
package org.apache.dolphinscheduler.plugin.alert.script;
import org.apache.dolphinscheduler.alert.api.AlertResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.util.Map;
public final class ScriptSender {
private static final Logger logger = LoggerFactory.getLogger(ScriptSender.class);
private static final String ALERT_TITLE_OPTION = " -t ";
private static final String ALERT_CONTENT_OPTION = " -c ";
private static final String ALERT_USER_PARAMS_OPTION = " -p ";
private final String scriptPath;
private final String scriptType;
private final String userParams;
ScriptSender(Map<String, String> config) {
scriptPath = config.get(ScriptParamsConstants.NAME_SCRIPT_PATH);
scriptType = config.get(ScriptParamsConstants.NAME_SCRIPT_TYPE);
userParams = config.get(ScriptParamsConstants.NAME_SCRIPT_USER_PARAMS);
}
AlertResult sendScriptAlert(String title, String content) {
AlertResult alertResult = new AlertResult();
if (ScriptType.SHELL.getDescp().equals(scriptType)) {
return executeShellScript(title, content);
}
return alertResult;
}
private AlertResult executeShellScript(String title, String content) {
AlertResult alertResult = new AlertResult();
alertResult.setStatus("false");
if (Boolean.TRUE.equals(OSUtils.isWindows())) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
//validate script path in case of injections
File shellScriptFile = new File(scriptPath);
//validate existence
if (!shellScriptFile.exists()) {
logger.error("shell script not exist : {}", scriptPath);
alertResult.setMessage("shell script not exist : " + scriptPath);
return alertResult;
}
//validate is file
if (!shellScriptFile.isFile()) {
logger.error("shell script is not a file : {}", scriptPath);
alertResult.setMessage("shell script is not a file : " + scriptPath);
return alertResult;
}
String[] cmd = {"/bin/sh", "-c", scriptPath + ALERT_TITLE_OPTION + "'" + title + "'" + ALERT_CONTENT_OPTION + "'" + content + "'" + ALERT_USER_PARAMS_OPTION + "'" + userParams + "'"};
int exitCode = ProcessUtils.executeScript(cmd);
if (exitCode == 0) {
alertResult.setStatus("true");
alertResult.setMessage("send script alert msg success");
return alertResult;
}
alertResult.setMessage("send script alert msg error,exitCode is " + exitCode);
logger.info("send script alert msg error,exitCode is {}", exitCode);
return alertResult;
}
}
- What is the name of the variable that stores the array of commands?
cmd
- What method is called to execute the commands in the array?
- What are the inputs included in constructing the commands? (use comma as seperator e.g. x,v)
scriptPath,title,content,userParams