pinger argument unparsing unsoundness
ijackson opened this issue · comments
For Reasons I was looking at the source code for this crate, and I found code like this:
fn ping_args(&self, target: String) -> Vec<String> {
...
if let Some(interface) = &self.interface {
args.push("-I".into());
args.push(interface.clone());
}
args.push(target);
This is unsound, because if target
starts with a -
it will be interpreted by ping
as an option. (By unsound I mean this: if this API is passed untrusted input, undesirable malfunctions, which might be security relevant, can occur.)
I don't think this is very exploitable, on Linux at least, because almost all of the options also require a target, which when this malfunction occurs won't be supplied. The worst that can be done seems to be to pass -V
or -h
and cause the rest of the pinger library to try to parse the help or version output, which will be a malfunction, but fairly harmless.
I suggest that the ping_args
function ought to take something like target: SyntaxCheckedTargetHost
(with struct SyntaxCheckedTargetHost(String)
and then in the common code you would check that the thing starts with an alphanumeric or [
or :
when constructing the SyntaxCheckedTargetHost
.
Thanks,.
You're right, the whole process of ping_with_interval
doesn't guard the target input.