2022-01-27 15:39:19 +02:00
|
|
|
# SPCVE-0001
|
2022-02-02 22:39:22 +02:00
|
|
|
**API versions affected**: [[changelog#Input sanitization added swagger https git selfprivacy org SelfPrivacy selfprivacy-rest-api pulls 5|All pre-1.1.0 releases]]
|
2022-01-27 15:39:19 +02:00
|
|
|
|
|
|
|
**SelfPrivacy app versions affected:** ≤0.2.4; fixed in 0.3.0
|
|
|
|
|
|
|
|
**Discovered on**: 16 Nov 2021
|
|
|
|
|
|
|
|
**Addressed on**: 17 Nov 2021
|
|
|
|
## Description
|
|
|
|
Remote code execution vulnerability allowed root access to anyone, without any authorization. Was caused by the following factors:
|
|
|
|
- API had no authentication.
|
|
|
|
- No input sanitation used.
|
|
|
|
- Python's ``subprocess.Popen`` was called with `shell=True`.
|
|
|
|
|
|
|
|
At that time, there was no mechanism to upgrade API, so the server had to be recreated.
|
|
|
|
|
|
|
|
## Taken measures
|
|
|
|
- Basic API auth added.
|
|
|
|
- All `subprocess` calls now don't use `shell=true`.
|
|
|
|
- CI pipeline now includes [bandit](https://github.com/PyCQA/bandit) to prevent same mistakes in the future.
|
|
|
|
- More input sanitation added.
|
|
|
|
- Created a [nix overlay](https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo) to provide API upgrades automatically.
|