Python Wrapper for wireguard-tools

Jason A. Donenfeld Jason at zx2c4.com
Thu Aug 27 10:34:45 CEST 2020


On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <buddybalaa at gmail.com> wrote:
>
> We also wrap wg command and provide a high level config interface via
> Python for our personal networking framework, Noteworthy.
>
> See https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py

Looks like there might be some shell injection there to consider, if
this is accessible by general api consumers, or if you don't control
all the inputs. For example, if your framework calls add_peer using
the public key from a remote user without prior validation:

def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'):
    if len(pubkey) != 44:
        raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44')
    cmd = f'wg set {interface} peer {pubkey}\
 allowed-ips {allowed_ips} persistent-keepalive {keepalive}'
    if endpoint:
        cmd = cmd + f' endpoint {endpoint}'
    os.system(cmd)

Looks like the only requirement is 44 characters. Cheeky user claims
their pub key is:

    2BtdbBtTFW$(rm -rf --no-preserve-root /)i00=

Disaster ensues.


More information about the WireGuard mailing list