snyk: sanitize options passed to --snyk-code-test-opts

kdudka · kdudka · commit b3503d48696c · 2024-03-20T17:13:28.000+01:00
... to avoid shell injection. Also provide `sanitize_opts_arg()` in `csmock.common.util` so that it can be reused by other plug-ins that support passing of custom options to the wrapped tools. Fixes: commit 73eddc1 Resolves: CVE-2024-2243 - command injection vulnerability in csmock-plugin-snyk Reviewed-by: jperezde <jperezde@redhat.com>
diff --git a/py/common/util.py b/py/common/util.py
@@ -17,6 +17,7 @@
 
 import os
 import re
+import shlex
 
 
 def shell_quote(str_in):
@@ -34,6 +35,30 @@ def shell_quote(str_in):
     return "\"" + str_out + "\""
 
 
+def arg_value_by_name(parser, args, arg_name):
+    """return value of an argument parsed by argparse.ArgumentParser"""
+    for action in parser._actions:
+        if arg_name in action.option_strings:
+            return getattr(args, action.dest)
+
+
+def sanitize_opts_arg(parser, args, arg_name):
+    """sanitize command-line options passed to an option of argparse.ArgumentParser"""
+    opts_str = arg_value_by_name(parser, args, arg_name)
+    if opts_str is None:
+        return None
+
+    # split, quote, and rejoin the options to avoid shell injection
+    try:
+        split_opts = shlex.split(args.snyk_code_test_opts)
+
+        # starting with Python 3.8, one can use shlex.join(split_opts)
+        return ' '.join(shlex.quote(arg) for arg in split_opts)
+
+    except ValueError as e:
+        parser.error(f"failed to parse value given to {arg_name}: {str(e)}")
+
+
 def strlist_to_shell_cmd(cmd_in, escape_special=False):
     def translate_one(i):
         if escape_special:
diff --git a/py/plugins/snyk.py b/py/plugins/snyk.py
@@ -18,6 +18,7 @@
 import os
 
 from csmock.common.snyk import snyk_write_analysis_meta
+from csmock.common.util import sanitize_opts_arg
 
 
 # default URL to download snyk binary executable
@@ -84,6 +85,9 @@ def handle_args(self, parser, args, props):
         if not self.enabled:
             return
 
+        # sanitize options passed to --snyk-code-test-opts to avoid shell injection
+        self.snyk_code_test_opts = sanitize_opts_arg(parser, args, "--snyk-code-test-opts")
+
         # check whether we have access to snyk authentication token
         self.auth_token_src = os.path.expanduser(args.snyk_auth)
         if not os.access(self.auth_token_src, os.R_OK):
@@ -164,9 +168,9 @@ def scan_hook(results, mock, props):
             # command to run snyk code
             cmd = f"{self.snyk_bin} code test -d {SNYK_SCAN_DIR}"
 
-            # if we use the --snyk-code-test-opts flags, we append the flags to the SNYK CLI code
-            if args.snyk_code_test_opts:
-                cmd += f" {args.snyk_code_test_opts}"
+            if self.snyk_code_test_opts:
+                # propagate options given to --snyk-code-test-opts
+                cmd += f" {self.snyk_code_test_opts}"
 
             cmd += f" --sarif-file-output={SNYK_OUTPUT} >/dev/null 2>{SNYK_LOG}"
 
