Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3893

Command injection in format_go_output

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.3
    • Fix Version/s: 0.10.0
    • Component/s: Go - Compiler
    • Labels:

      Description

      format_go_output runs gofmt on a file_path which is derived from the service name. If a malicious user is able to provide a service name to a framework invoking thrift, a user-supplied service name could lead to shell command injection.

      A potential fix would be to escaping on the file_path or ensuring that it adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jensg Jens Geyer
                Reporter:
                groebert@google.com Felix Groebert
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: