SPCVE-0001
API versions affected: [[changelog#Input sanitization added swagger https git selfprivacy org SelfPrivacy selfprivacy-rest-api pulls 5|All pre-1.1.0 releases]]
SelfPrivacy app versions affected: ≤0.2.4; fixed in 0.3.0
Discovered on: 16 Nov 2021
Addressed on: 17 Nov 2021
Description
Remote code execution vulnerability allowed root access to anyone, without any authorization. Was caused by the following factors:
- API had no authentication.
- No input sanitation used.
- Python's
subprocess.Popenwas called withshell=True.
At that time, there was no mechanism to upgrade API, so the server had to be recreated.
Taken measures
- Basic API auth added.
- All
subprocesscalls now don't useshell=true. - CI pipeline now includes bandit to prevent same mistakes in the future.
- More input sanitation added.
- Created a nix overlay to provide API upgrades automatically.