Commit ce53491 (March 24) fixed command injection via system_packages in Dockerfile templates and images.py by adding shlex.quote. However, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting.
The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier.
Fixed paths (commit ce53491):
src/_bentoml_sdk/images.py:88 - added shlex.quote(package)src/bentoml/_internal/bento/build_config.py:505 - added bash_quote Jinja2 filterbase_debian.j2, base_alpine.j2, etc.Unfixed path:
src/bentoml/_internal/cloud/deployment.py, line 1648:
def _build_setup_script(bento_dir: str, image: Image | None) -> bytes:
content = b""
config = BentoBuildConfig.from_bento_dir(bento_dir)
if config.docker.system_packages:
content += f"apt-get update && apt-get install -y {' '.join(config.docker.system_packages)} || exit 1\n".encode()
system_packages values from bentofile.yaml are joined with spaces and interpolated directly into the apt-get install command. No shlex.quote.
Remote execution confirmed:
setup_script = _build_setup_script(bento_dir, svc.image) in _init_deployment_filesupload_files.append(("setup.sh", setup_script)) uploads to BentoCloudself.upload_files(upload_files, ...) sends to the remote deploymentSecond caller at line 1068: _build_setup_script is also called during Deployment.watch() for dev mode hot-reload deployments.
bentofile.yaml:
service: "service:svc"
docker:
system_packages:
- "curl"
-...
1.4.38Exploitability
AV:LAC:LPR:NUI:RScope
S:UImpact
C:HI:HA:H7.8/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H