openshift / managed-scripts

BackplaneM3-managed scripts

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Injection attack possibility in kafka.py.

k-wall opened this issue · comments

Currently this library doesn't guard against the injection attacks. For instance, a malicious user could pass in a specially crafted kafka instance name or topic name (containing a white space) to cause undesired execution effects. Best practice tells us we should always code to avoid this possibility.

Building the cmd arrays explicitly, rather than splitting on whitespace, would be one possible resolution.

cmd = "-i statefulset/"+kafka+"-kafka -c kafka -- env - bin/kafka-topics.sh --bootstrap-server localhost:9096 --describe "

@robshelly

Thank you for raising the issue! Given the PR is merged, are we good to close this issue?

Yes this can be closed now. Thanks for pointing out the issue @k-wall.

@k-wall can we close this issue now as the pr has been merged