Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Making a script secure to code injection

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Making a script secure to code injection
# 1  
Old 07-15-2015
Code Making a script secure to code injection
Heyas

I've been told my scipts would be insecure, and to fix that.
Figured i might rethink some parts of my coding style, meanwhile i tried to write an additional catcher.

After reading:
fail : Security Issues - didnt help too much, infact - it confused me even more.
n/a: https://en.wikipedia.org/wiki/Shellshock - right topic, wrong approach
n/a: https://en.wikipedia.org/wiki/Type_system - wrong topic, hint for better approach
ok : https://en.wikipedia.org/wiki/Code_i...hell_injection - that is something i was looking for

I came up with this:
Code:
#!/bin/bash
break_on_injections() { # "$1"
# Pass the first argument, and compare vs malware lists
# 
	[ -z "$1" ] && return 1
	checkthis="${1}"
	malware='; ´ | < & > :'
	#malware2=( '$(' '&&' )
	for mal in $malware #"${malware2[@]}"
	do	mal=$(echo "$mal" | sed s," ","",g)
		echo "$checkthis" | grep "$mal" && \
			printf "%s\t%s\n" \
				"Aborting, injection detected!" "" \
				"Source: " "$(echo ${BASH_SOURCE[@]})" \
				"Function:" "$(echo ${FUNCNAME[@]})" \
				"Pipestatus:" "$(echo ${PIPESTATUS[@]})" && \
				return 0
	done
	return 1
}

break_on_injections "$1" && exit 1

exit
#########################################
#########################################
#
#	Recomended usage:
#
#########################################
#########################################
while arg in "${@}"
do	break_on_injections "$arg" && exit 1
done

My 'test' result seemed good, i guess - but since i dont know much about these kind of things, i'm not sure if its even applicable.
Code:
0 $ inject.sh "$(hostname)"

0 $ inject.sh || echo hmm
hmm

1 $ inject.sh "|| echo hmm"
|| echo hmm
Aborting, injection detected!	
Source: 	/bin/inject.sh /bin/inject.sh
Function:	break_on_injections main
Pipestatus:	0 0

As i am completely inexperienced with the topic of 'code injection' - or how to protect a script from such - i'm quite happy with the above code.
Though, the "$(hostname)" didnt raise an issue, but i guess that is something one cannot catch on that level.

Is this code snippet 'usable'?
Any thoughts / suggestions / advice / improvements?
Last edited by sea; 07-16-2015 at 02:53 AM.. Reason: changed code
# 2  
Old 07-16-2015
"$(hostname)" is substituted - by the calling shell!
'$(hostname)' will pass it to the script as is.
# 3  
Old 07-16-2015
A follow up question... (and partialy missing explanation)

If you have a webserver which is using scripts to (print to a 'html-file' to) display information.
Where would you/I need to catch the code injection?
  1. Between the surfer and the page (html -> cgi/php)
  2. Between the server and the script (cgi/php -> shell)
  3. The script has to do all the possible captures (shell)

---------- Post updated at 08:02 ---------- Previous update was at 08:00 ----------

Quote:
Originally Posted by MadeInGermany
"$(hostname)" is substituted - by the calling shell!
I do understand the words, but not in regards of security.
As i understand it, i'd have NO way to possible catch that?

EDIT: Or are you saying its a nonsense test?
Last edited by rbatte1; 07-16-2015 at 08:45 AM.. Reason: Converted to LIST=1 tags from plain text
# 4  
Old 07-16-2015
I mean you must test it with
Code:
inject.sh '$(hostname)'

This User Gave Thanks to MadeInGermany For This Post:
sea
# 5  
Old 07-16-2015
Ok, that part (using the single quotes) is handled fine, as far i tested/'understand this topic'.

Any additions i should add?
# 6  
Old 07-16-2015
I would code that differently:
Code:
break_on_injections() {
  typeset arg ac=0
  for arg do
    ac=$((ac+=1))
    case $arg in
    (*[';`|<&>:']*|*'$('*)
      printf "%s\n" \
        "Aborting, injection detected! arg${ac}='$arg'"
      return 1
    ;;
    esac
  done
  return 0
}
break_on_injections "$@"

This User Gave Thanks to MadeInGermany For This Post:
sea
# 7  
Old 07-16-2015
To make it resistant to injections, don't use backticks anywhere.
This User Gave Thanks to Corona688 For This Post:
sea
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Making use of PWD command in the code

Hi all, Need some help in the following code. (Running this code at cygwin in windows vista) cat /home/ebanpan/Input_Logs/*.log > /home/ebanpan/Input_Logs/input.log sed '/^Total/d;/^Bye/d;/^Output has been logged/d' /home/ebanpan/Input_Logs/input.log > /home/ebanpan/output.log this code... (6 Replies)
Discussion started by: bansalpankaj88
6 Replies

2. OS X (Apple)

Code injection

Im needing to create a postinst script for a debian package. I need it to search for this line of script in a plist file located at /folder/folder/folder/folder/folder/file.plist <key>TESTKEYLINE</key> <true/> and after it create a new line and insert this code <key>KEYNAME</key>... (0 Replies)
Discussion started by: iModdr
0 Replies

3. Shell Programming and Scripting

making code compatible to previous bash versions

First let me explain the scenario I have tywo files as usual file1.txt (it has n rows and 8 columns) $1 $2 $3 $4 $5 $6 $7 $8 Code: 1234567|iufgt|iuoy|iout|white |black |red |90879 1234567|iufgt|iuoy|iout|green |pink |blue |90879... (3 Replies)
Discussion started by: s.deepak
3 Replies

4. Shell Programming and Scripting

Code for making image pairs for BOS

Hi guys, Those who work with Background Oriented Schlieren (BOS) might wonder how to create image pairs suitable for a PIV image processing software. Here is the code : #!/bin/bash # This is a program to read *.jpg files and save them in pairs for postprocessing nfiles=`ls -1 bild*... (0 Replies)
Discussion started by: chirag.joshi
0 Replies

5. Programming

Making FORTRAN code more efficient

Hi, I have a very large, very old FORTRAN code that I work with. The code is quite messy and I was wondering if I can speed up execution time by finding subroutines that code execution spends the most time in. Is there any kind of software I can use to see where the code spends most of the... (1 Reply)
Discussion started by: rks171
1 Replies

6. Shell Programming and Scripting

Secure a KSH script

Hi: I want to secure (prevent Ctrol+C, or Ctrol+Z, or any kind of aborting) this ksh script: #!/usr/bin/ksh clear echo print "CSIA RBAC -- CONFIGURACION --" echo print "1) Habilitar/Desabilitar RBAC en el sistema" print "2) Configurar comandos privados" print "6) Salir" echo... (5 Replies)
Discussion started by: iga3725
5 Replies

7. Solaris

Secure FTP Problem using Sun SSH on Client system F-Secure on Server system

I am using shell script to do secure ftp. I have done key file setup to do password less authentication. Following are the FTP Details: FTP Client has Sun SSH. FTP Server has F-Secure. I am using SCP Command to do secure copy files. When I am doing this, I am getting the foll error scp:... (2 Replies)
Discussion started by: ftpguy
2 Replies

8. Shell Programming and Scripting

f-secure sftp in shell script

Hi, I am trying to use sftp in a ksh - Shell script, but not even a simple script like this returns not output: sftp username@remotehost <<END ls END If I do something like this: sftp username@remotehost <<END | tee logfile ls END I get this error message: Warning: tcgetattr... (1 Reply)
Discussion started by: friand
1 Replies

9. Shell Programming and Scripting

How to secure my script from Ctrl-C

Hi all I am looking for a way to ensure that once a user is logged in and running a script, he cannot break out of it. Thanks J (12 Replies)
Discussion started by: jhansrod
12 Replies
Login or Register to Ask a Question