From 9537cb32ed6746768acdc2332267a64207f3d05b Mon Sep 17 00:00:00 2001 From: Stephen Fox Date: Sat, 9 Apr 2022 16:46:56 -0400 Subject: [PATCH] security: Removed unsafe relative path sourcing. The "vm" script is responsible for executing shell script functions found in other vm-bhyve scripts. It does this by sourcing other vm-bhyve shell scripts, which automatically execute code that handles the user's input. One of the first actions "vm" takes is to check if the relative file "./lib/vm-core" exists. If this file exists, it sets the parent directory for sourcing scripts to "./lib", resulting in all shell scripts being sourced from a path relative to the user's current working directory. This is unsafe because sourcing from a relative file path may result in execution of untrusted code. For example, imagine the user cloned a git repository that contains malicious code stored at "/lib/". If the user were to "cd" to this imaginary cloned repository and execute the "vm" script, they would inadvertently source and execute code from that directory. This commit removes this behavior. The "vm" script now sources scripts exclusively from "/usr/local/lib/vm-bhyve/". --- vm | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/vm b/vm index b315908..372727f 100644 --- a/vm +++ b/vm @@ -25,9 +25,7 @@ # POSSIBILITY OF SUCH DAMAGE. # get libs -if [ -e "./lib/vm-core" ]; then - LIB="./lib" -elif [ -e "/usr/local/lib/vm-bhyve" ]; then +if [ -e "/usr/local/lib/vm-bhyve" ]; then LIB="/usr/local/lib/vm-bhyve" else echo "unable to locate vm-bhyve libraries"