OS Command Injection through Command Substitution #68
Description
Sorry for reporting it here. However, I found that the application has improper neutralization of special characters that possibly make it possible to execute OS commands using the gorilla-cli argument/prompt. The tool can potentially be exploited through command injection techniques, enabling the execution of arbitrary system commands without explicit user approval, leading to potential system compromise.
Tested Version: 0.0.10
Environment: MacOS Default Terminal & iTerm2 Terminal
Description:
The Gorilla-CLI application prompts users to select commands from a list of suggestions generated by a language model based on their input. It was observed that the application does not properly sanitize or neutralize special shell characters in the input it receives, specifically characters like $(), ` (backticks), and other forms of shell metacharacters.
This lack of input validation makes it possible for attackers to execute arbitrary system commands by passing specially crafted arguments via the command line. The application does not restrict the use of command substitution syntax such as $() or backticks (`), allowing malicious input to bypass the intended interactive prompt and directly execute OS commands.
Simple Proof of Concept (PoC):
Example Obfuscation:
Recommendation:
Introduce proper input sanitization mechanisms (blacklist / whitelist) to neutralize any potentially harmful shell characters (such as $() and `).
While exploiting this vulnerability requires user interaction and may present a higher level of complexity, it still constitutes a significant security risk, particularly in systems that rely on this tool for regular operations. Addressing this issue would ensure that the application adheres to best practices for secure input handling, preventing potential command injection exploits.