Re: Python Wrapper for wireguard-tools

Development discussion of WireGuard
 help / color / mirror / Atom feed

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: buddybalaa@gmail.com
Cc: Ryan Whelan <rcwhelan@gmail.com>,
	Andrew Roth <andrew@andrewjroth.com>,
	 WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Python Wrapper for wireguard-tools
Date: Thu, 27 Aug 2020 10:34:45 +0200	[thread overview]
Message-ID: <CAHmME9qHnsubokcz-5Xpiuc0bA+49tMbDk5RH7jpBStne5SOng@mail.gmail.com> (raw)
In-Reply-To: <CAKmhVko5aED=b6Gx2yU5QVcEGyWbc3zWt2yAjUtAbaFNLr6nTQ@mail.gmail.com>

On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <buddybalaa@gmail.com> wrote:
>
> We also wrap wg command and provide a high level config interface via
> Python for our personal networking framework, Noteworthy.
>
> See https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py

Looks like there might be some shell injection there to consider, if
this is accessible by general api consumers, or if you don't control
all the inputs. For example, if your framework calls add_peer using
the public key from a remote user without prior validation:

def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'):
    if len(pubkey) != 44:
        raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44')
    cmd = f'wg set {interface} peer {pubkey}\
 allowed-ips {allowed_ips} persistent-keepalive {keepalive}'
    if endpoint:
        cmd = cmd + f' endpoint {endpoint}'
    os.system(cmd)

Looks like the only requirement is 44 characters. Cheeky user claims
their pub key is:

    2BtdbBtTFW$(rm -rf --no-preserve-root /)i00=

Disaster ensues.

next prev parent reply	other threads:[~2020-08-27  8:35 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-21 14:04 Andrew Roth
2020-08-22 19:05 ` Jason A. Donenfeld
2020-08-22 21:14   ` Derrick Lyndon Pallas
2020-08-31 20:40   ` Matt Layher
2020-08-24 14:37 ` Arti Zirk
2020-08-24 18:57 ` Ryan Whelan
     [not found]   ` <CAKmhVko10JYo__SfNGujkeVV_YCPVLtBkLzcXoMfo7X3qjD5pA@mail.gmail.com>
2020-08-24 19:38     ` Mo Balaa
2020-08-27  8:34       ` Jason A. Donenfeld [this message]
2020-08-27  8:59         ` Mo Balaa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9qHnsubokcz-5Xpiuc0bA+49tMbDk5RH7jpBStne5SOng@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=andrew@andrewjroth.com \
    --cc=buddybalaa@gmail.com \
    --cc=rcwhelan@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).