OliveTin Command Injection Vulnerability in Shell Mode Webhook Actions

A critical command injection vulnerability has been identified in OliveTin versions through 3000.10.0. The issue arises in shell mode, where the safety check for user-supplied arguments fails to block the 'password' type. This oversight allows authenticated users to inject shell metacharacters and execute arbitrary operating system commands on the host. Additionally, an independent vector enables unauthenticated remote code execution by exploiting webhook-extracted JSON values that bypass type safety checks before being executed as shell commands. When both vectors are combined, the vulnerability allows unauthenticated remote code execution on any OliveTin instance using shell mode with webhook-triggered actions.

Impact

Exploitation of this vulnerability leads to unauthorized execution of operating system commands on the OliveTin host, with the actions being performed under the privileges of the OliveTin process.

Reproduction

The vulnerability can be reproduced in two ways. First, an authenticated user can send a POST request to the '/api/StartAction' endpoint, including a 'password' typed argument that contains injected shell metacharacters. This will result in the execution of the injected command. Second, an unauthenticated attacker can send a POST request to a webhook endpoint, such as '/webhook/git-deploy', including a payload that injects a command into a 'git_message' field. This injected command will be executed on the server.