Skip to content

Fix Command Injection Vulnerability in Admin Login (SCRUM-20)

Security Issue: Command Injection Vulnerability (CWE-78)

External Reference

Jira Issue: SCRUM-20

Problem Description

The /admin-login route contains a command injection vulnerability where user input is directly used in a shell command via subprocess.check_output(command, shell=True). This allows potential attackers to execute arbitrary system commands.

Vulnerability Details

  • Type: Command Injection (CWE-78)
  • Severity: BLOCKER
  • SonarQube Rule: pythonsecurity:S2076
  • Location: app.py line 89-91

Vulnerable Code

command = f"grep '{submitted_username}:{submitted_password}' /app/users.txt"
result = subprocess.check_output(command, shell=True).decode('utf-8')

Security Impact

  • Allows arbitrary command execution on the server
  • Can lead to complete system compromise
  • Enables data exfiltration and lateral movement

Remediation Required

  • Replace shell=True with shell=False
  • Use proper argument list instead of string concatenation
  • Eliminate shell command injection vectors

Acceptance Criteria

  • Remove shell=True from subprocess calls
  • Use list-based arguments for subprocess
  • All security tests pass
  • No regression in functionality
  • SonarQube rule no longer triggers

Labels

security, vulnerability, command-injection, blocker