Skip to content

fix(aspera): agent potentially unsafe quoting #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(aspera): agent potentially unsafe quoting #14

wants to merge 1 commit into from

Conversation

@odaysec
Copy link

@odaysec odaysec commented May 23, 2025

ibmcloud-cos-cli/aspera/agent.go

Lines 157 to 173 in 1576fb4

data := fmt.Sprintf(`{
"transfer_requests": [
{
"transfer_request": {
"paths": %s,
"tags": {
"aspera": {
"node": {
"storage_credentials": %s
}
}
}
}
}
]
}
`, jsonPaths, credentials)

Fix the issue should avoid directly embedding jsonPaths into the data string using fmt.Sprintf. Instead, we can construct the JSON object in a structured manner using Go's native JSON handling capabilities. This approach ensures that all special characters are properly escaped and avoids the risk of injection.

Specifically:

  1. Replace the fmt.Sprintf construction of the data string with a structured approach using Go's map or struct types.
  2. Use json.Marshal to serialize the entire data object into a JSON string, ensuring proper escaping and formatting.

References

SQL injection
Command Injection
CWE-78
CWE-89
CWE-94

@odaysec
Copy link
Author

odaysec commented May 23, 2025

Signed-off-by: Zeroday BYTE [email protected]

@odaysec odaysec closed this by deleting the head repository Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@odaysec