You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2020/07/29 17:46:57 UTC

[GitHub] [bookkeeper] deepanjanpal opened a new issue #2391: Static Source Code Security Scanner showing Command Injection vulnerability in Bookkeeper

deepanjanpal opened a new issue #2391:
URL: https://github.com/apache/bookkeeper/issues/2391


   **Static Source Code Security Scanner showing Command Injection vulnerability in Bookkeeper**
   
   ***OS Command Injection in Bookkeeper***
   
   A clear and concise description of what the bug is.
   
   ***To Reproduce***
   
   Steps to reproduce the behavior:
   1. Launch a source code scan with Checkmarx Static Code Scanner
   2. After completion of source code scan , tool throws OS command injection vulnerability against the files mentioned in the attached document.
   
   
   ***Expected behavior***
   
   OS Command Injection vulnerability should not be present in any files of Bookkeeper. All user input should be sanitized to check for any OS commands and either whitelist or blacklist those commands.
   
   [Pravega_Bookkeeper_OS Command Injection.xlsx](https://github.com/apache/bookkeeper/files/4994467/Pravega_Bookkeeper_OS.Command.Injection.xlsx)
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli commented on issue #2391: Static Source Code Security Scanner showing Command Injection vulnerability in Bookkeeper

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #2391:
URL: https://github.com/apache/bookkeeper/issues/2391#issuecomment-712317346


   we are working on releasing BK 4.11.1 and also we are fixing the Docker autobuild (see #2446 )


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] deepanjanpal commented on issue #2391: Static Source Code Security Scanner showing Command Injection vulnerability in Bookkeeper

Posted by GitBox <gi...@apache.org>.

deepanjanpal commented on issue #2391:
URL: https://github.com/apache/bookkeeper/issues/2391#issuecomment-675384957


   Hi ,
   any updates on this?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] bmaluruEMC commented on issue #2391: Static Source Code Security Scanner showing Command Injection vulnerability in Bookkeeper

Posted by GitBox <gi...@apache.org>.

bmaluruEMC commented on issue #2391:
URL: https://github.com/apache/bookkeeper/issues/2391#issuecomment-712305006


   Any update on this please?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] deepanjanpal commented on issue #2391: Static Source Code Security Scanner showing Command Injection vulnerability in Bookkeeper

Posted by GitBox <gi...@apache.org>.

deepanjanpal commented on issue #2391:
URL: https://github.com/apache/bookkeeper/issues/2391#issuecomment-672011657


   Hi @sijie , 
   Thanks for looking into it , may i please request in case any updates over here.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org