Description
A dedicated sanitize_input() function at validation.py:375-390 strips shell metacharacters (;, |, $, `, etc.) but is never called in any production code path. While asyncio.create_subprocess_exec(*command) (used instead of subprocess.run(shell=True)) prevents classic shell injection, there is no defense-in-depth sanitization of interpolated values. The _interpolate() function in plugins.py directly substitutes user-controlled values into command arguments without any validation. Values containing -- could be interpreted as flags by the target tool, and values with embedded spaces could create unexpected argument boundaries.
Files Affected
secuscan/core/validation.py — sanitize_input() definition (lines 375-390)secuscan/core/plugins.py — _interpolate() where sanitization should be appliedsecuscan/core/executor.py — where sanitized arguments should be used
Expected Behavior
User-controlled values substituted into command arguments should be sanitized to strip or escape shell metacharacters, tool-specific flag prefixes, and other injection vectors.
Actual Behavior
sanitize_input() is defined but never called anywhere in production code. The _interpolate() function directly substitutes raw values. Attackers can inject tool-specific flags (--flag=value) through unsanitized fields like templates, user_agent, and config_file.
Steps to Reproduce
- Configure a scan with a plugin that has a
templates string field
- Set the field value to contain a tool-specific flag:
--debug --verbose
- Execute the scan
- Observe that the flag is passed directly to the scanning tool without sanitization
- Confirm
sanitize_input() is never called by adding a debug log statement
Impact
Attackers with access to scan configuration can inject tool-specific flags through unsanitized string fields. While shell injection is prevented by the execve-style execution, flag injection and argument smuggling are possible through fields like templates, user_agent, and config_file.
Fix Required
Call sanitize_input() on each interpolated value in plugins.py:_interpolate(). Add a -- separator before user-controlled arguments in command templates. Add pattern validation to all string fields in plugin configurations. The fix spans plugins.py, validation.py, and potentially executor.py.
Description
A dedicated
sanitize_input()function atvalidation.py:375-390strips shell metacharacters (;,|,$,`, etc.) but is never called in any production code path. Whileasyncio.create_subprocess_exec(*command)(used instead ofsubprocess.run(shell=True)) prevents classic shell injection, there is no defense-in-depth sanitization of interpolated values. The_interpolate()function inplugins.pydirectly substitutes user-controlled values into command arguments without any validation. Values containing--could be interpreted as flags by the target tool, and values with embedded spaces could create unexpected argument boundaries.Files Affected
secuscan/core/validation.py—sanitize_input()definition (lines 375-390)secuscan/core/plugins.py—_interpolate()where sanitization should be appliedsecuscan/core/executor.py— where sanitized arguments should be usedExpected Behavior
User-controlled values substituted into command arguments should be sanitized to strip or escape shell metacharacters, tool-specific flag prefixes, and other injection vectors.
Actual Behavior
sanitize_input()is defined but never called anywhere in production code. The_interpolate()function directly substitutes raw values. Attackers can inject tool-specific flags (--flag=value) through unsanitized fields liketemplates,user_agent, andconfig_file.Steps to Reproduce
templatesstring field--debug --verbosesanitize_input()is never called by adding a debug log statementImpact
Attackers with access to scan configuration can inject tool-specific flags through unsanitized string fields. While shell injection is prevented by the execve-style execution, flag injection and argument smuggling are possible through fields like
templates,user_agent, andconfig_file.Fix Required
Call
sanitize_input()on each interpolated value inplugins.py:_interpolate(). Add a--separator before user-controlled arguments in command templates. Add pattern validation to all string fields in plugin configurations. The fix spansplugins.py,validation.py, and potentiallyexecutor.py.