Mitigate potential command injection risk (CWE-78) in DhcpClient: avoid dynamic PATH lookup with fixed/safe paths #19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…id dynamic PATH lookup with fixed/safe paths This PR mitigates a potential command injection risk in DhcpClient.py Current code: - Extends os.environ['PATH'] dynamically - Uses have(command[0]) to locate dhclient/dhcpcd/udhcpc in the modified PATH - Constructs command list and passes to subprocess.Popen While exploitation is difficult/impossible in standard Linux Mint setups (due to polkit authentication, user privileges, and context of execution), the pattern remains risky: - Environment variables like PATH are user-controlled - Dynamic lookup + Popen can lead to execution of arbitrary binaries if PATH is manipulated (theoretical in custom/future setups) This is not best practice and could become exploitable in edge cases or forks. Changes: - Replace dynamic PATH extension and have() lookup with fixed/safe full paths for common DHCP clients - Fallback to shutil.which() if available (safer than env lookup) - Keep the same logic for finding the first available client No functional change for normal users only improves security posture (defense-in-depth). I was not able to create a working PoC, but the code pattern is potentially risky and should be avoided. Thanks for reviewing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR mitigates a potential command injection risk in DhcpClient.py
Current code:
While exploitation is difficult/impossible in standard Linux Mint setups (due to polkit authentication, user privileges, and context of execution), the pattern remains risky:
This is not best practice and could become exploitable in edge cases or forks
Changes:
No functional change for normal users only improves security posture (defense-in-depth).
I was not able to create a working PoC, but the code pattern is potentially risky and should be avoided.
Thanks for reviewing