From d780dcc1f524c92aa3786ec29c5c059e921d6fd8 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@member.fsf.org>
Date: Thu, 23 Jul 2020 17:27:54 -0700
Subject: [PATCH] SECURITY: Prevent invoking firejail's --output functionality

firejail has an RCE in its handling of --output when dealing with untrusted
arguments. We can avoid this issue by preventing shelling out to firejail
if any parameter starts with '--output'.

Change-Id: Ic6a5644566a51a948de7b42daf57b29ced3daff4
---
 includes/shell/FirejailCommand.php | 32 ++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php
index 5db89373b6..5a7434b950 100644
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -48,6 +48,38 @@ class FirejailCommand extends Command {
 		$this->firejail = $firejail;
 	}
 
+	/**
+	 * Reject any parameters that start with --output to prevent
+	 * exploitation of a firejail RCE
+	 *
+	 * @param string|string[] ...$args
+	 * @return $this
+	 */
+	public function params( ...$args ): Command {
+		if ( count( $args ) === 1 && is_array( reset( $args ) ) ) {
+			// If only one argument has been passed, and that argument is an array,
+			// treat it as a list of arguments
+			$args = reset( $args );
+		}
+		foreach ( $args as $arg ) {
+			if ( substr( $arg, 0, 8 ) === '--output' ) {
+				$ex = new RuntimeException(
+					'FirejailCommand does not support parameters that start with --output'
+				);
+				$this->logger->error(
+					'command tried to shell out with a parameter starting with --output',
+					[
+						'arg' => $arg,
+						'exception' => $ex
+					]
+				);
+				throw $ex;
+			}
+		}
+
+		return parent::params( ...$args );
+	}
+
 	/**
 	 * @inheritDoc
 	 */
-- 
2.26.2