custodian-enqueue ----------------- We open named files from the user to parse tests. We don't run shell commands. custodian-dequeue ----------------- Two tests pass arguments from the configuration file to the shell: ping http/https The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing. This means a test such as the following is a risk: $(touch /tmp/blah) must run ping. HOWEVER the hostname will pass the following regexp: ^([^\s]+)\s+ So in real terms the only risk is commands without spaces: $(/tmp/exploit.sh) must run ping TODO: Fix this general ------- We decode arbitrary JSON from the queue. We should sign it, or validate it. This will prevent trojan malformed JSON from being added. TODO ---- Anything else? DoS attacks? Steve --