box: eliminate code injection in replication_synchro_quorum
It was possible to execute arbitrary Lua code outside of the setfenv()
environment. Example:
NO_WRAP
```lua
tarantool> box.cfg{replication_synchro_quorum = [=[N / 2 + 1]] _G.test = true --[[]=]}
tarantool> test
---
- true
...
```
NO_WRAP
How it works:
```lua
local expr = [[%s]]
```
Let's assume that `%s` is replaced by `]]<..code..>--[[`. The result is the
following (newlines are added for readability):
```lua
local expr = [[]]
<..code..>
--[[]]
```
This code is executed outside of the setfenv() protected function.
The fix is to pass the expression as an argument instead of using
`snprintf()`.
Fixes https://github.com/tarantool/security/issues/20
Fixes GHSA-74jr-2fq7-vp42
NO_DOC=bugfix
Showing
- changelogs/unreleased/replication-synchro-quorum-code-injection.md 4 additions, 0 deletions...s/unreleased/replication-synchro-quorum-code-injection.md
- src/box/box.cc 7 additions, 19 deletionssrc/box/box.cc
- test/box-luatest/replication_synchro_quorum_code_injection_test.lua 23 additions, 0 deletions...uatest/replication_synchro_quorum_code_injection_test.lua
- test/replication/gh-5446-qsync-eval-quorum.result 1 addition, 1 deletiontest/replication/gh-5446-qsync-eval-quorum.result
Loading
Please register or sign in to comment