Add System.shell command injection #175

realcorvus · 2025-01-06T20:54:31Z

System.shell was added in Elixir 1.12 - https://hexdocs.pm/elixir/1.18.1/System.html#shell/2

This PR modifies the existing System.cmd check to add shell. Tested on Potion Shop - https://github.com/securityelixir/potion_shop with the following change:

defmodule CarafeWeb.PotionController do
   ...

  def show(conn, %{"id" => id}) do
    System.shell(id)

CI.System: Command Injection via `System` function - lib/carafe_web/controllers/potion_controller.ex:19

houllette · 2025-05-08T23:28:19Z

Hey @realcorvus - sorry for the delay on this; for reasons explained in another issue (#180), I've created an official fork and as such you're welcome to bring this PR over there to make sure you get the proper attribution or I can just fold it over myself - either way!

Feel free to close out this PR and follow progress over in the new repo here from now on! For what it's worth the hex package won't change since I can just cut over to pointing to the new repo.

…mand injection

Add System.shell command injection

50b5494

houllette added a commit to sobelow/sobelow that referenced this pull request May 9, 2025

Merge upstream PR nccgroup#175 from @realcorvus: Add System.shell com…

553f493

…mand injection

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add System.shell command injection #175

Add System.shell command injection #175

Uh oh!

realcorvus commented Jan 6, 2025

Uh oh!

houllette commented May 8, 2025

Uh oh!

Uh oh!

Add System.shell command injection #175

Are you sure you want to change the base?

Add System.shell command injection #175

Uh oh!

Conversation

realcorvus commented Jan 6, 2025

Uh oh!

houllette commented May 8, 2025

Uh oh!

Uh oh!