Description
[AI-SCAN-RESULT]
This issue was identified during a comprehensive static analysis of the autograder codebase.
The system is vulnerable to shell command injection during sandbox preparation and file extraction. Filenames provided in a submission are directly interpolated into shell commands executed within the sandbox container using exec_run. A malicious actor could provide a filename containing shell metacharacters (e.g., $(reboot) or "; malicious_cmd; #") to execute arbitrary commands within the sandbox.
While the code runs inside a gVisor/Docker sandbox, this vulnerability allows bypassing intended application logic and could potentially be used for container escape or lateral movement if additional vulnerabilities exist in the container runtime.
Location
autograder/sandbox_manager/sandbox_container.py
Methods: prepare_workdir, run_commands, extract_file
Recommended Fix
- Use Native APIs: Instead of using shell commands (
echo ... | base64 -d > ...), use the docker-py API's native file-handling capabilities like put_archive (for uploading files) and get_archive (for extracting files). Note: get_archive may have issues with gVisor; if so, see point 2.
- Strict Sanitization: If shell commands must be used, rigorously sanitize all filenames. Allow only alphanumeric characters, dots, and underscores. Alternatively, use
shlex.quote() to safely escape filenames before interpolation.
- Avoid Shell Execution: Where possible, pass commands as lists (e.g.,
["mkdir", "-p", full_dir_path]) instead of single strings executed via /bin/sh -c.
Description
[AI-SCAN-RESULT]
This issue was identified during a comprehensive static analysis of the autograder codebase.
The system is vulnerable to shell command injection during sandbox preparation and file extraction. Filenames provided in a submission are directly interpolated into shell commands executed within the sandbox container using
exec_run. A malicious actor could provide a filename containing shell metacharacters (e.g.,$(reboot)or"; malicious_cmd; #") to execute arbitrary commands within the sandbox.While the code runs inside a gVisor/Docker sandbox, this vulnerability allows bypassing intended application logic and could potentially be used for container escape or lateral movement if additional vulnerabilities exist in the container runtime.
Location
autograder/sandbox_manager/sandbox_container.pyMethods:
prepare_workdir,run_commands,extract_fileRecommended Fix
echo ... | base64 -d > ...), use thedocker-pyAPI's native file-handling capabilities likeput_archive(for uploading files) andget_archive(for extracting files). Note:get_archivemay have issues with gVisor; if so, see point 2.shlex.quote()to safely escape filenames before interpolation.["mkdir", "-p", full_dir_path]) instead of single strings executed via/bin/sh -c.