Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history
Fix command injection in waf_detector tool
  • Loading branch information
yogeshojha authored Jul 23, 2024
2 parents d74fa1f + dbf7299 commit edd3c85
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 7 deletions.
4 changes: 4 additions & 0 deletions .github/SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ Thank you for helping to keep reNgine and its users safe!

Thanks to these individuals for reporting Security Issues in reNgine.

### 2024

* [HIGH] [Command Injection](https://github.com/yogeshojha/rengine/security/advisories/GHSA-fx7f-f735-vgh4) in Waf Detector, Reported by [n-thumann](https://github.com/n-thumann)

### 2022

* [HIGH] [Blind command injection](https://huntr.dev/bounties/b255cf59-9ecd-4255-b9a2-b40b5ec6c572/) in CMS Detector, Reported by [Abdulrahman Abdullah](https://github.com/ph33rr)
Expand Down
19 changes: 13 additions & 6 deletions web/api/views.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
import logging
import re
import socket
import subprocess
from ipaddress import IPv4Network

import requests
Expand Down Expand Up @@ -269,12 +268,15 @@ def get(self, request):
response = {}
response['status'] = False

# validate url as a first step to avoid command injection
if not (validators.url(url) or validators.domain(url)):
response['message'] = 'Invalid Domain/URL provided!'
return Response(response)

wafw00f_command = f'wafw00f {url}'
output = subprocess.check_output(wafw00f_command, shell=True)
# use regex to get the waf
regex = "behind \\\\x1b\[1;96m(.*)\\\\x1b"
group = re.search(regex, str(output))

_, output = run_command(wafw00f_command, remove_ansi_sequence=True)
regex = r"behind (.*?) WAF"
group = re.search(regex, output)
if group:
response['status'] = True
response['results'] = group.group(1)
Expand Down Expand Up @@ -1155,6 +1157,11 @@ def get(self, request):
url = req.query_params.get('url')
#save_db = True if 'save_db' in req.query_params else False
response = {'status': False}

if not (validators.url(url) or validators.domain(url)):
response['message'] = 'Invalid Domain/URL provided!'
return Response(response)

try:
# response = get_cms_details(url)
response = {}
Expand Down
2 changes: 1 addition & 1 deletion web/reNgine/tasks.py
Original file line number Diff line number Diff line change
Expand Up @@ -3840,7 +3840,7 @@ def query_whois(ip_domain, force_reload_whois=False):
netlas_key = get_netlas_key()
command += f' -a {netlas_key}' if netlas_key else ''

result = subprocess.check_output(command.split()).decode('utf-8')
_, result = run_command(command, remove_ansi_sequence=True)
if 'Failed to parse response data' in result:
# do fallback
return {
Expand Down

0 comments on commit edd3c85

Please sign in to comment.