custodian-enqueue ----------------- We open named files from the user to parse tests. We don't run shell commands. custodian-dequeue ----------------- Two tests pass arguments from the configuration file to the shell: ping http/https The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing. This means a test such as the following is a risk: $(touch /tmp/blah) must run ping. HOWEVER the hostname will pass the following regexp: ^([^\s]+)\s+ So in real terms the only risk is commands without spaces: $(/tmp/exploit.sh) must run ping TODO: Fix this General ------- We decode arbitrary JSON from the queue. We should sign it, or validate it to will prevent trojan malformed JSON from being added. At the moment we ensure that the job-body we retrieve looks JSON-like, and decodes to a non-empty hash. Problem: We cannot sign the body without giving away our key details. Solution: Read /etc/custodian/salt, and store the checksum of all keys + values with that salt? TODO ---- Anything else? DoS attacks? Steve --