You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$name originates from dataset metadata and may contain characters that break quoting. This should avoid shell entirely.
openml_OS/controllers/Api_splits.php: multiple system()/exec() calls build Java commands with request-derived inputs. Some checks (is_safe, is_numeric) exist, but defense-in-depth suggests escaping args or using proc_open with argv arrays.
Proposed fix
Replace the sed call with pure PHP file I/O to prepend the info line.
When shelling out to Java, strictly validate and/or escape all args (e.g., via escapeshellarg) and prefer argv arrays.
Add unit tests covering edge-case names.
Acceptance criteria
No use of unescaped user-provided values in shell commands.
Prepend operation implemented without shell invocation.
Potential command injection risk in shell invocations that include user-controlled values without shell-escaping.
Examples
openml_OS/helpers/api_helper.phpvalidate_arff(): builds asedcommand using$nameand$didto prepend info to an ARFF file:$nameoriginates from dataset metadata and may contain characters that break quoting. This should avoid shell entirely.openml_OS/controllers/Api_splits.php: multiplesystem()/exec()calls build Java commands with request-derived inputs. Some checks (is_safe,is_numeric) exist, but defense-in-depth suggests escaping args or usingproc_openwith argv arrays.Proposed fix
sedcall with pure PHP file I/O to prepend the info line.escapeshellarg) and prefer argv arrays.Acceptance criteria