healthchecks / healthchecks / 25040495797

91%

push

github

Fix check name and tag escaping in the Shell integration

Apply shlex.quote to check's name and tags before substituting them
in the $NAME, $TAGS, $TAG1, $TAG2, (...) placeholders in the
shell command.

Without escaping, a special character in the check's name or tags
would break the shell command. This can happen by accident, but
this can also be exploited as a security issue: an attacker with
access to a R/W API key can change check's name or  tags to inject
their own payload in the shell command.

Note: if the attacker has access to the web UI, they can set up
a new shell integration to run any arbitrary system command on the
machine running healthchecks. Enable the shell integration
(SHELL_ENABLED=True env var) *only if you fully trust the users
you have given access to web UI*.

In a scenario where the attacker only has access to the API key
but no web UI access (let's say the key got leaked or exposed),
they cannot set up a new shell integration, as there is no API
support for that. But they could still inject commands in already
existing shell integrations by updating an existing check's name.
This commit fixes this loophole.

Thanks to Ayan Saha for reporting this issue.

2 of 2 new or added lines in 1 file covered. (100.0%)

8295 of 9077 relevant lines covered (91.38%)

0.91 hits per line