Dear all,
the parsing that uses this regular expression, assembled via this code would allow a malicious user to inject whatever code that would be run on the testing machine. For example, an argument like:

--what pippo; rm -fr *

A new Issue was created by @rovere Marco Rovere.

@Dr15Jones, @dpiparo, @silviodonato, @smuzaffar, @makortel, @qliphy can you please review it and eventually sign/assign? Thanks.

cms-bot commands are listed here

Thanks Marco. I started a dummy test in cms-sw/cmssw#33490

@rovere , thanks for taking the time to look in to this. Yes I know this but this check is only valid for cms authenticated/authorized users e.g see

so we trust our valid users to not abuse it. The valid users have many options to abuse the system e.g. make a CMSSW PR with a unit test to delete every thing :-)

Let me just add that the issue is real (see https://cmssdt.cern.ch/jenkins/job/ib-run-pr-relvals/3747/consoleFull ).

The valid users have many options to abuse the system e.g. make a CMSSW PR with a unit test to delete every thing :-)

Interesting :-)

I wonder if we could put some fences, e.g. in Python you would use

subprocess.run(myCommand, shell=False,)

Maybe adjusting the regex and protecting against malicious execution on the target machine?

hmm ... two simple (simplistic??) suggestions:

a) replace RELVAL_OPTS="[a-zA-Z0-9_-][a-zA-Z0-9_-]" with RELVAL_OPTS="^[a-zA-Z0-9_-][a-zA-Z0-9_-]$" if you want the options to only contain alpha-numerics ... that would render any option with a ";" (and/or any other char) as failing the match.

b) simply replace any ";" in the options with "#" (that would need the options to be the last item when assembling the command as anything after the options will be ignored.

@dpiparo , I can update the regexp to be ^[-]{1,2}[a-zA-Z0-9_.,\s-]+ (note, we need to allow [,.] ). This will not allow to pass ; or any quotes. But as I wrote the risk is always there as any one who is allowed to start a PR test (i.e. CMSSW release managers, L2's and special users with test rights) can make a PR with a unit test to run any thing he/she wants.

see #1541

#1541 is merged now and cms-bot now does not allow ; in the relval_opts ( see cms-sw/cmssw#33490 (comment) where bot has thumbs down the comment with invalid opts). But as I said, the risk is still there. Only option to avoid this risk is that we only allow release managers to start tests and add test parameters but that is not practical.

This is the reason why our integration flow foresees review of the code before it's merged, right?

yes but I am not sure if it is reviewed thoroughly before requesting the tests to start :-)

#1541 fixes this