Python Wrapper for wireguard-tools
Mo Balaa
buddybalaa at gmail.com
Thu Aug 27 10:59:27 CEST 2020
Thanks, Jason, good catch. In Noteworthy we control both sides of the
API but I'll get this fixed in case someone else happens to use this.
On Thu, Aug 27, 2020 at 3:35 AM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <buddybalaa at gmail.com> wrote:
> >
> > We also wrap wg command and provide a high level config interface via
> > Python for our personal networking framework, Noteworthy.
> >
> > See https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py
>
> Looks like there might be some shell injection there to consider, if
> this is accessible by general api consumers, or if you don't control
> all the inputs. For example, if your framework calls add_peer using
> the public key from a remote user without prior validation:
>
> def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'):
> if len(pubkey) != 44:
> raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44')
> cmd = f'wg set {interface} peer {pubkey}\
> allowed-ips {allowed_ips} persistent-keepalive {keepalive}'
> if endpoint:
> cmd = cmd + f' endpoint {endpoint}'
> os.system(cmd)
>
> Looks like the only requirement is 44 characters. Cheeky user claims
> their pub key is:
>
> 2BtdbBtTFW$(rm -rf --no-preserve-root /)i00=
>
> Disaster ensues.
More information about the WireGuard
mailing list