[Security] Code execution risk when running cdxgen against untrusted repos

[prabhu]

This is a design limitation, without an immediate fix.

Summary

(Rewritten for clarity)

• Users of cdxgen are known to run the tool against both trusted and untrusted codebases
• cdxgen executes numerous external and package manager commands, including npm install, maven, gradle, and sbt commands
• Many package managers support custom scripts and plugins to execute additional commands.
  • For example, when cdxgen invokes npm install (default behavior unless --no-install-deps is passed), npm could be invoking more commands as per the scripts section in the package.json file present in the given codebase.

POC

1. Generate a gradle project with gradle init (choose all defaults, this will generate a Kotlin based DSL)
2. Open build.gradle.kts
3. Add this to the end of the file, e.g.

val projectRoot = project.rootProject.projectDir

val file = file("$projectRoot/hello.txt")
file.writeText("hello world")

4. Run “cdxgen -o bom.json” without any other params
5. Result: the code above is being executed

Timeline

8 Aug 2024 - Email received from the researcher.
8 Aug 2024 - Initial response: Known acceptable risk that is consistent with executing any CLI command including the package manager commands themselves.
19 Aug 2024 - Researcher shared more details about attacking SCA scanners that wrap cdxgen such as OWASP dep-scan.
26 Aug 2024 - GitHub Issue created.

Known workarounds

• Run cdxgen using the container image with limited volume mounts, random TEMP directories (avoid -v /tmp:/tmp and -v $HOME:$HOME), and a dedicated seccomp profiles.
• Use the argument --no-install-deps or --lifecycle pre-build to prevent cdxgen from running install commands. This may not work for all package managers.
• Do not run cdxgen against untrusted codebases and with sudo/administrative privileges.
• Use cdxgen with deno runtime.

[prabhu]

Tasks

• Update documentation and add log messages to warn about the risks of running cdxgen against untrusted codebases.
• Add a new cli argument say --untrusted to configure some install commands. Example: for npm, we can pass --ignore-scripts argument. Need to investigate similar capabilities for other package managers.
• Investigate seccomp and AppArmor profiles.

Stretch goals

• Revisit try mode support - Try mode in cdxgen #362

[jdalton]

This has now landed in the CVE database and is being reported by GitHub's security tab:

[prabhu]

I have started working on a container image called cdxgen-secure. The idea is to use Node.js permission api and disable automatic installations by default.

[prabhu]

@eran-medan Could you kindly help test the new secure mode including the cdxgen-secure image?

As discussed in the below document, you can set an environment variable NODE_OPTIONS with some read and write options to limit the permissions for the cli.

https://github.com/CycloneDX/cdxgen/blob/master/docs/PERMISSIONS.md

Repotests workflow -

cdxgen/.github/workflows/repotests.yml

Line 742 in 6e066ee

- name: repotests

cdxgen-secure container image can be executed as shown:

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-secure:master cdxgen -r /app -o /app/bom.json -t java

Testing steps

Limit write permissions to only temp directory and *.json in the current directory.

export NODE_OPTIONS='--permission --allow-fs-read="/var/folders/h5/43_6kqvs4w7cclqtdbpj_7g80000gn/T/*" --allow-fs-write="/var/folders/h5/43_6kqvs4w7cclqtdbpj_7g80000gn/T/*" --allow-fs-read="*" --allow-fs-write="/Volumes/Work/sandbox/issue-1328/*.json" --allow-child-process'

Run cdxgen

node /Volumes/Work/CycloneDX/cdxgen/bin/cdxgen.js -o bom.json $(pwd)
(node:36104) SecurityWarning: The flag --allow-child-process must be used with extreme caution. It could invalidate the permission model.
(Use `node --trace-warnings ...` to show where the warning was created)
SECURE MODE: DO NOT run cdxgen with FileSystemRead permission set to wildcard.
SECURE MODE: DO NOT run cdxgen with FileSystemWrite permission set to wildcard.
Scanning /Volumes/Work/sandbox/issue-1328
Performing babel-based package usage analysis with source code at /Volumes/Work/sandbox/issue-1328
Executing /Volumes/Work/sandbox/issue-1328/gradlew --build-cache --console plain --no-parallel properties in /Volumes/Work/sandbox/issue-1328.
Executing /Volumes/Work/sandbox/issue-1328/gradlew --build-cache --console plain --no-parallel :app:properties in /Volumes/Work/sandbox/issue-1328.
Parsing /Volumes/Work/sandbox/issue-1328/gradle/wrapper/gradle-wrapper.jar
Ignored jar gradle-wrapper.jar gradle-wrapper undefined
Unable to extract the component information from /Volumes/Work/sandbox/issue-1328/gradle/wrapper/gradle-wrapper.jar
Obtained 0 components and 0 dependencies after dedupe.

gradle dependencies command will not get executed in secure mode by default and hence hello.txt will not get created. The SBOM would be empty.