Comments (4)
By the way, the same commit adds a shell command injection with this line if you control zip_path
:
p = subprocess.Popen(" ".join(["7z", "x", zip_path, "-o" + dst_path, "-y" , ">" , "/dev/nul"]), stdout=subprocess.PIPE, shell=True)
from kuiper.
hello
this commit is by mistake left after testing,
Regarding the 7z, it is used to avoid using the zipfile in python since it give error sometime when decompressing zip files. I think it is issue with ZipFile in python 2.7
from kuiper.
Hi saleh,
The point is that using " ".join(...)
AND shell=True
is highly insecure. You can just pass a list directly as first Popen
parameter rather than joining a string, which will cause all arguments to be quoted properly.
subprocess.Popen(["7z", "x", zip_path, "-o", dst_path, "-y"], stdout=subprocess.PIPE)
from kuiper.
alot of security concerns not taken into consideration, the assumption is that kuiper is running in closed environment, if somebody want to run malicious code it is possible to upload it as new parser :)
from kuiper.
Related Issues (20)
- Search fails when selecting time range HOT 6
- Kuiper modifies meaning of parsed data (quoting) HOT 2
- KAPE: Error extracting the archive content: compression type 9 (deflate64) HOT 1
- ZIP files generated in Windows (e.g. 7-zip) are not processed properly HOT 1
- IIS Access Logs Parser failed because of 'utf8' codec HOT 2
- "Powershell_Execution" rule does not catch "-encodedcommand" HOT 2
- Security Vulnerability Report: Open Redirect in Login HOT 1
- After installing v2.3.5 - still v2.3.4 displayed HOT 1
- Search broken on large shard/index HOT 1
- v2.3.3 Issue: kuiper_flask is constantly restarting and does not start on HOT 2
- Tag multiple rows HOT 2
- Defender Detection History Parser HOT 1
- Celery and Flask restarting-loop HOT 2
- future to add .tar to be upload HOT 2
- Worker exited prematurely: signal 9 (SIGKILL) Job: 3. HOT 1
- When are you going to adopt Python 3? HOT 4
- ZIP files not uploading HOT 1
- Authentication Feature HOT 4
- JumpList and Browser_History Parsing ERROR HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kuiper.