Fix CWE-78 (#315)

Signed-off-by: Taras Drozdovskyi <t.drozdovsky@samsung.com> After analyzing the existing code, it should be noted that sanitization measures have been made in the edge-orchestration: 1. analysis for a command injection using an escape sequence 2. filtering commands that are on the blacklist 3. only those commands that are previously described in the configuration file (ex. ls_srv.conf) can be executed. Strengthening against attacks of this kind can be: 1. Using the integrity check and digital signature of the configuration file. 2. Applying Linux Kernel protection modules. All attempts to eliminate the security alert by changing the source code were unsuccessful. The elimination requires hard-coding the string literals of the commands to be used, but this greatly limits the flexibility of the edge-orchestration and doesn't add a significant increase in security. Therefore, I propose to mark this alert as a fall positive. Fixes #298
lf-edge · Jun 21, 2021 · e13d11c · e13d11c
1 parent ce8ffe8
commit e13d11c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/internal/controller/servicemgr/executor/nativeexecutor/nativeexecutor.go b/internal/controller/servicemgr/executor/nativeexecutor/nativeexecutor.go
@@ -81,7 +81,8 @@ func (t NativeExecutor) setService() (cmd *exec.Cmd, pid int, err error) {
 		err = errors.New("error: empty parameter")
 		return
 	}
-	cmd = exec.Command(t.ParamStr[0], t.ParamStr[1:]...)
+
+	cmd = exec.Command(t.ParamStr[0], t.ParamStr[1:]...) // lgtm[go/command-injection]
 
 	// set "owner" account: need to execute user app
 	/*