Hi there.
Considering the possibility to run commands in project settings, Projects : Node-RED, I encountered "Remote code execution" as a pen test result for one of my clients who uses node-red as our software package. This is just a result of a pen test and might not be really causing security issues.
Is it possible to do sanity check for text entered as input for this dialouge?
There are many ways of running linux commands from Node-red.
For security the Node-red user account should be dedicated to Node-red and have no elevated privileges, especially no sudo access.
For what it's worth, cat /etc/passwd is not necessarily a dangerous or malicious command.
Thanks for your reply, is it possible at all to prevent any command to run or even be saved ?
@bfany365 if you believe you have found a security issue, please report it privately rather than publicly disclose the issue.
I am not sure it can be a security issue, my main question is to see if I can prevent or limit the text that user can input as dependencies.
The recommendation now is to make settings.js owned by root so that a normal user (or node-red itself) cannot modify that file.
@bfany365 you have said it is possible to cause a remote code execution attack vis project settings. That has now been publicly disclosed to the world and we now need to address it. This is why security issues should be raised privately with the project so that we have a chance to fix them before they become public knowledge.
@Colin this is the Project Settings which are edited via the NR editor. This is unrelated to the main settings.js file.
@knolleary
I will rephrase my question. Thanks for your input, because it is in fact a result of a "pen test result" that was shared with me and I am not use if it was really happened.
@bfany365 to be clear, even after you have reworded the question, this is still a question about a potential security issue. Even if you are not sure if it is a real issue or not - it is better to ask privately.
I have now investigated this issue and I do not believe it is a real problem.
The JSON entered in this dialog will get written under the dependencies section of the project's package.json file. The contents is never evaluated as a shell command - there is no RCE here.
I don't know enough about the added complexities of Projects, but more generally:
Node-red is a programming language like many others (better, obviously) and it can run operating system commands.
I don't believe there is any way to prevent it from running OS commands.
Perhaps you could prevent a user from deploying any changes to their flows. That would mean they could not create or modify flows, so you might as well prohibit their access to the Node-red editor.
Linux itself does have various mechanisms to limit what a user can see or do.
Node-red correctly installed does not subvert those mechanisms.
So I can run cat /etc/passwd but if I try and run rm -rf / Linux will prevent it.
This isn't a Node-RED security issue other than the fact that Node-RED has a LOT of power.
If you have configured your OS correctly, no user - nor Node-RED should be able to run such a command. If they/it can, that is certainly a pen test failure and would certainly need resolving.
As it stands we don't know (and don't want to know - see Nicks comment) whether that command would succeed or not.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy
