Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Code execution risk when running cdxgen against untrusted repos #1328

Open
prabhu opened this issue Aug 26, 2024 · 2 comments
Open

[Security] Code execution risk when running cdxgen against untrusted repos #1328

prabhu opened this issue Aug 26, 2024 · 2 comments
Labels
Consider Funding security

Comments

@prabhu
Copy link
Collaborator

prabhu commented Aug 26, 2024

This is a design limitation, without an immediate fix.

Summary

(Rewritten for clarity)

  • Users of cdxgen are known to run the tool against both trusted and untrusted codebases
  • cdxgen executes numerous external and package manager commands, including npm install, maven, gradle, and sbt commands
  • Many package managers support custom scripts and plugins to execute additional commands.
    • For example, when cdxgen invokes npm install (default behavior unless --no-install-deps is passed), npm could be invoking more commands as per the scripts section in the package.json file present in the given codebase.

POC

  1. Generate a gradle project with gradle init (choose all defaults, this will generate a Kotlin based DSL)
  2. Open build.gradle.kts
  3. Add this to the end of the file, e.g.
val projectRoot = project.rootProject.projectDir

val file = file("$projectRoot/hello.txt")
file.writeText("hello world")
  1. Run “cdxgen -o bom.json” without any other params
  2. Result: the code above is being executed

Timeline

8 Aug 2024 - Email received from the researcher.
8 Aug 2024 - Initial response: Known acceptable risk that is consistent with executing any CLI command including the package manager commands themselves.
19 Aug 2024 - Researcher shared more details about attacking SCA scanners that wrap cdxgen such as OWASP dep-scan.
26 Aug 2024 - GitHub Issue created.

Known workarounds

  • Run cdxgen using the container image with limited volume mounts, random TEMP directories (avoid -v /tmp:/tmp and -v $HOME:$HOME), and a dedicated seccomp profiles.
  • Use the argument --no-install-deps or --lifecycle pre-build to prevent cdxgen from running install commands. This may not work for all package managers.
  • Do not run cdxgen against untrusted codebases and with sudo/administrative privileges.
  • Use cdxgen with deno runtime.
@CycloneDX CycloneDX deleted a comment Aug 26, 2024
@prabhu
Copy link
Collaborator Author

prabhu commented Aug 27, 2024

Tasks

  • Update documentation and add log messages to warn about the risks of running cdxgen against untrusted codebases.
  • Add a new cli argument say --untrusted to configure some install commands. Example: for npm, we can pass --ignore-scripts argument. Need to investigate similar capabilities for other package managers.
  • Investigate seccomp and AppArmor profiles.

Stretch goals

@jdalton
Copy link

jdalton commented Oct 29, 2024
edited
Loading

This has now landed in the CVE database and is being reported by GitHub's security tab:

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Consider Funding security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jdalton @prabhu and others