Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[Security] Code execution risk when running cdxgen against untrusted repos #1328

Open
prabhu opened this issue Aug 26, 2024 · 2 comments
Open

Comments

@prabhu
Copy link
Collaborator

prabhu commented Aug 26, 2024

This is a design limitation, without an immediate fix.

Summary

(Rewritten for clarity)

  • Users of cdxgen are known to run the tool against both trusted and untrusted codebases
  • cdxgen executes numerous external and package manager commands, including npm install, maven, gradle, and sbt commands
  • Many package managers support custom scripts and plugins to execute additional commands.
    • For example, when cdxgen invokes npm install (default behavior unless --no-install-deps is passed), npm could be invoking more commands as per the scripts section in the package.json file present in the given codebase.

POC

  1. Generate a gradle project with gradle init (choose all defaults, this will generate a Kotlin based DSL)
  2. Open build.gradle.kts
  3. Add this to the end of the file, e.g.
val projectRoot = project.rootProject.projectDir

val file = file("$projectRoot/hello.txt")
file.writeText("hello world")
  1. Run “cdxgen -o bom.json” without any other params
  2. Result: the code above is being executed

Timeline

8 Aug 2024 - Email received from the researcher.
8 Aug 2024 - Initial response: Known acceptable risk that is consistent with executing any CLI command including the package manager commands themselves.
19 Aug 2024 - Researcher shared more details about attacking SCA scanners that wrap cdxgen such as OWASP dep-scan.
26 Aug 2024 - GitHub Issue created.

Known workarounds

  • Run cdxgen using the container image with limited volume mounts, random TEMP directories (avoid -v /tmp:/tmp and -v $HOME:$HOME), and a dedicated seccomp profiles.
  • Use the argument --no-install-deps or --lifecycle pre-build to prevent cdxgen from running install commands. This may not work for all package managers.
  • Do not run cdxgen against untrusted codebases and with sudo/administrative privileges.
  • Use cdxgen with deno runtime.
@CycloneDX CycloneDX deleted a comment Aug 26, 2024
@prabhu
Copy link
Collaborator Author

prabhu commented Aug 27, 2024

Tasks

  • Update documentation and add log messages to warn about the risks of running cdxgen against untrusted codebases.
  • Add a new cli argument say --untrusted to configure some install commands. Example: for npm, we can pass --ignore-scripts argument. Need to investigate similar capabilities for other package managers.
  • Investigate seccomp and AppArmor profiles.

Stretch goals

@jdalton
Copy link

jdalton commented Oct 29, 2024

This has now landed in the CVE database and is being reported by GitHub's security tab:

Image

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

5 participants
@jdalton @prabhu and others