SPCVE-0001
API versions affected: [[changelog#Input sanitization added swagger https git selfprivacy org SelfPrivacy selfprivacy-rest-api pulls 5|All pre-1.1.0 releases]]
SelfPrivacy app versions affected: ≤0.2.4; fixed in 0.3.0
Discovered on: 16 Nov 2021
Addressed on: 17 Nov 2021
Description
Remote code execution vulnerability allowed root access to anyone, without any authorization. Was caused by the following factors:
- API had no authentication.
- No input sanitation used.
- Python's
subprocess.Popen
was called withshell=True
.
At that time, there was no mechanism to upgrade API, so the server had to be recreated.
Taken measures
- Basic API auth added.
- All
subprocess
calls now don't useshell=true
. - CI pipeline now includes bandit to prevent same mistakes in the future.
- More input sanitation added.
- Created a nix overlay to provide API upgrades automatically.