[web] prevent OT CLI command injection via newline characters#3288
Open
alimezar wants to merge 1 commit intoopenthread:mainfrom
Open
[web] prevent OT CLI command injection via newline characters#3288alimezar wants to merge 1 commit intoopenthread:mainfrom
alimezar wants to merge 1 commit intoopenthread:mainfrom
Conversation
User-controlled strings (pskd, prefix, networkKey, pskc) from the web interface are passed into OpenThreadClient::Execute(), which builds newline-framed commands for the OT daemon Unix socket. A raw CR or LF byte in any of these fields terminates the current command and starts a new one, allowing arbitrary OT CLI command injection. Fix both the sink and the callers: 1. In OpenThreadClient::Execute(), reject any formatted command payload that contains an embedded CR or LF byte before the framing newlines are added. This is the primary defense at the transport boundary. 2. In escapeOtCliEscapable(), stop passing through raw CR and LF bytes after the backslash prefix. Instead, strip them from the output entirely. Continue escaping spaces, tabs, and backslashes as before. 3. Apply escapeOtCliEscapable() to all user-controlled string parameters (pskd, prefix, networkKey, pskc) as defense in depth, matching the existing treatment of networkName.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances security against command injection in the OpenThread CLI by adding a check for line breaks in OpenThreadClient::Execute. Additionally, it ensures that various network parameters such as PSKD, prefix, network key, and PSKC are properly escaped using escapeOtCliEscapable before being passed to CLI commands. The escapeOtCliEscapable function was also updated to ignore carriage returns and newlines. I have no feedback to provide.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User-controlled strings (pskd, prefix, networkKey, pskc) from the web interface are passed into OpenThreadClient::Execute(), which builds newline-framed commands for the OT daemon Unix socket. A raw CR or LF byte in any of these fields terminates the current command and starts a new one, allowing arbitrary OT CLI command injection.
Fix both the sink and the callers:
In OpenThreadClient::Execute(), reject any formatted command payload that contains an embedded CR or LF byte before the framing newlines are added. This is the primary defense at the transport boundary.
In escapeOtCliEscapable(), stop passing through raw CR and LF bytes after the backslash prefix. Instead, strip them from the output entirely. Continue escaping spaces, tabs, and backslashes as before.
Apply escapeOtCliEscapable() to all user-controlled string parameters (pskd, prefix, networkKey, pskc) as defense in depth, matching the existing treatment of networkName.