API versions affected: [[changelog#Input sanitization added swagger https git selfprivacy org SelfPrivacy selfprivacy-rest-api pulls 5|All pre-1.1.0 releases]]

SelfPrivacy app versions affected: ≤0.2.4; fixed in 0.3.0

Discovered on: 16 Nov 2021

Addressed on: 17 Nov 2021


Remote code execution vulnerability allowed root access to anyone, without any authorization. Was caused by the following factors:

  • API had no authentication.
  • No input sanitation used.
  • Python's subprocess.Popen was called with shell=True.

At that time, there was no mechanism to upgrade API, so the server had to be recreated.

Taken measures

  • Basic API auth added.
  • All subprocess calls now don't use shell=true.
  • CI pipeline now includes bandit to prevent same mistakes in the future.
  • More input sanitation added.
  • Created a nix overlay to provide API upgrades automatically.