-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configurable gpg executable probably contradicts security policy #353
Comments
Thanks, an interesting insight! We do pass the configured path through a "validate" function, which as of today is focused more on catching typos rather than validating that it actually is a "gpg" binary. Do you think it would help if we were to edit this function to for example check that stdout of |
Maybe, I haven't thought it through (and I may not be creative enough, I am not a penetration tester by trade) but it feels like it might be possible to combine the (limited) ability to write files and the control over the argument to cause a binary to print that line and then execute other malicious code. But also, to check if the stdout of Personally, if you need to support executing binaries at arbitrary paths across a boundary, I would not claim it as a security boundary, because it feels very very hard to defend successfully. |
I agree with @FiloSottile on this. We should document the vulnerability more clearly IMO. Perhaps it allowing the user to set the gpg binary path only in the JSON config for the password store, and having the next release of the native host parse that bit out, might be a better approach. That file cannot be written by or at the behest of the browser extension, and therefore any compromise of the browser extension would be unable to select an arbitrary binary to execute. This would be more inconvenient for the user, but I suspect only a little bit, and they'd only need to do it once. @maximbaz Thoughts? |
I'd be okay with that, and when we do that, perhaps we should show upgrade notification to users who have Maybe I'm over-thinking it, but I imagine it's not a small number of people who will need to upgrade (I even know some personally), so it's better to nag people instead of just suddenly break the extension for them. |
The README says
however the extension gets to specify the path of the "gpg" binary, its stdin (for the save action), and its final argument (after
--output
).It might require a bit of creativity to find a binary that ignores the fixed arguments but still allows arbitrary code execution given these attacker-inputs, but I would not bet against it.
The text was updated successfully, but these errors were encountered: