risk of code injection when creating agencies
kwe712 opened this issue · comments
Katharina Wehrmeister commented
The function LocalStub.createAgency
creates an agency, using go's exec
package. In building the command for starting the agency's container, the name of a configured image is used without being checked first. This could make code injection possible if an image name is chosen containing ;
, followed by any command. This command will be executed on the kubestub container.
Depending on how it is set, the same problem may be caused by the log level setting
Katharina Wehrmeister commented
Fixed with PR #13