[THRIFT-3893] Command injection in format_go_output - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.9.3
Fix Version/s: 0.10.0
Component/s: Go - Compiler
Labels:
- security

Description

format_go_output runs gofmt on a file_path which is derived from the service name. If a malicious user is able to provide a service name to a framework invoking thrift, a user-supplied service name could lead to shell command injection.

A potential fix would be to escaping on the file_path or ensuring that it adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].

Attachments

Issue Links

links to

GitHub Pull Request #1061

Activity

People

Assignee:: Jens Geyer

Reporter:: Felix Groebert

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 04/Aug/16 10:25

Updated:: 16/Sep/16 03:53

Resolved:: 10/Aug/16 07:36