Python Wrapper for wireguard-tools

Jason A. Donenfeld Jason at
Thu Aug 27 10:34:45 CEST 2020

On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <buddybalaa at> wrote:
> We also wrap wg command and provide a high level config interface via
> Python for our personal networking framework, Noteworthy.
> See

Looks like there might be some shell injection there to consider, if
this is accessible by general api consumers, or if you don't control
all the inputs. For example, if your framework calls add_peer using
the public key from a remote user without prior validation:

def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'):
    if len(pubkey) != 44:
        raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44')
    cmd = f'wg set {interface} peer {pubkey}\
 allowed-ips {allowed_ips} persistent-keepalive {keepalive}'
    if endpoint:
        cmd = cmd + f' endpoint {endpoint}'

Looks like the only requirement is 44 characters. Cheeky user claims
their pub key is:

    2BtdbBtTFW$(rm -rf --no-preserve-root /)i00=

Disaster ensues.

More information about the WireGuard mailing list