🔒 Fix SCRUM-20: Resolve Command Injection Vulnerability (CWE-78)

Falko Sieverdingrequested to merge
fix/scrum-20-command-injection into main

Security Fix: Command Injection Vulnerability (CWE-78)

Issue Reference

  • GitLab Issue: #31
  • Jira Issue: SCRUM-20
  • Vulnerability Type: Command Injection (CWE-78)
  • Severity: BLOCKER
  • SonarQube Rule: pythonsecurity:S2076

Problem Description

The /admin-login route contained a command injection vulnerability where user input was directly used in a shell command via subprocess.check_output(command, shell=True). This allowed potential attackers to execute arbitrary system commands.

Solution Implemented

  • Replaced vulnerable shell=True with secure shell=False
  • Changed from string concatenation to proper argument list
  • Maintained existing functionality while eliminating security risk
  • All existing tests continue to pass

Code Changes

Before (Vulnerable):

command = f"grep '{submitted_username}:{submitted_password}' /app/users.txt"
result = subprocess.check_output(command, shell=True).decode('utf-8')

After (Secure):

result = subprocess.check_output(
    ['grep', f'{submitted_username}:{submitted_password}', '/app/users.txt'],
    shell=False
).decode('utf-8')

Testing

  • All 33 unit tests pass
  • Functionality verified and maintained
  • Security vulnerability eliminated

Security Impact

This fix eliminates the command injection vulnerability while preserving the educational nature of the demo application. The fix demonstrates secure coding practices for subprocess usage.

Closes #31

Edited by Falko Sieverding

Merge request reports