A Command Injection vulnerability exists in the get_git_diff() method at openhands/runtime/utils/git_handler.py:134. The path parameter from the /api/conversations/{conversation_id}/git/diff API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels.
The vulnerability flows through these files:
openhands/server/routes/files.py:267-277)@app.get('/git/diff')
async def git_diff(
path: str, # <-- User input from HTTP request
...
):
...
diff = await call_sync_from_async(runtime.get_git_diff, path, cwd) # No sanitization
openhands/runtime/base.py:1231-1233)def get_git_diff(self, file_path: str, cwd: str) -> dict[str, str]:
self.git_handler.set_cwd(cwd)
return self.git_handler.get_git_diff(file_path) # Passed directly
openhands/runtime/utils/git_handler.py:10-12, 134)# Command template with placeholder
GIT_DIFF_CMD = 'python3 /openhands/code/openhands/runtime/utils/git_diff.py "{file_path}"'
# Line 134 - VULNERABLE: User input directly interpolated
result = self.execute(self.git_diff_cmd.format(file_path=file_path), self.cwd)
openhands/runtime/utils/git_diff.py:25-27)def run(cmd: str, cwd: str) -> str:
result = subprocess.run(
args=cmd,
shell=True, # <-- Enables shell metacharacter interpretation
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
cwd=cwd
)
The file_path parameter is directly interpolated into a shell command string using Python's .format() method without any sanitization. When this command is executed with shell=True, shell metacharacters like ", ;,...
1.5.0Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:LA:L7.6/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L