binance-trading-bot Command Injection Vulnerability in Restore Endpoint Allowing Remote Code Execution

A command injection vulnerability has been identified in the binance-trading-bot application, specifically within the restore endpoint. This vulnerability allows authenticated users to execute arbitrary code on the host system, leading to remote code execution. The issue arises because the name of the uploaded file is passed to the shell execution function without proper sanitization, except for basic path normalization. As a result, an authorized user can inject commands that are executed with the application's user privileges.

Impact

Exploitation of this vulnerability allows for remote code execution on the host system where binance-trading-bot is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/restore' endpoint with an archive file. The filename should be crafted to include command injection payloads, such as a command to create a file in the '/tmp' directory. Include a valid authentication token in the request headers. The injected command will be executed on the server, demonstrating the command injection vulnerability.

Remediation

Users are advised to upgrade to version 0.0.100, where this vulnerability has been patched.