Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-write some parts to prevent code injection #10

Open
emarinier opened this issue Nov 7, 2023 · 2 comments
Open

Re-write some parts to prevent code injection #10

emarinier opened this issue Nov 7, 2023 · 2 comments
Assignees
@emarinier

Comments

@emarinier
Copy link
Member

Currently, using echo to write possibly user-supplied filenames and sample ID fields might introduce a vulnerability to code injection. We should consider moving generate_summary to be after the IRIDA JSON output is produced and have it launch a Python process that reads the final JSON file, handles the data, and then writes the summary.txt.gz file.
@emarinier emarinier mentioned this issue Nov 7, 2023
Merged
@emarinier
Copy link
Member Author

Also related: #9 (comment)

@emarinier emarinier changed the title Re-write generate_summary to prevent code injection Re-write some parts to prevent code injection Nov 8, 2023
@emarinier emarinier self-assigned this Nov 8, 2023
@emarinier
Copy link
Member Author

Confirming that I was able do very basic code injection through the sample name provided in the samplesheet.

Ideas and recommendations for preventing code injection:

  • Have nf-validation prevent certain characters (;,|,>,etc.)
  • Scan parameters for special characters.
  • Do not pass any user-modifiable fields into a bash command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emarinier emarinier

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@emarinier