ArchiveBox Remote Code Execution Vulnerability via Unvalidated Config Injection

A remote code execution vulnerability exists in ArchiveBox versions through 0.8.6rc0. The issue arises in the '/add/' endpoint, where a config JSON field is merged into the crawl configuration without proper validation. This unvalidated config is then exported as environment variables when archive plugins are executed, allowing the injection of arbitrary tool arguments that can lead to remote code execution. The vulnerability is particularly concerning because it can be exploited without authentication when 'PUBLIC_ADD_VIEW' is set to true, which is common for bookmarklet usage.

Impact

Exploitation of this vulnerability allows for remote code execution on the ArchiveBox server. When 'PUBLIC_ADD_VIEW' is true, this can be done without authentication.

Reproduction

To reproduce this vulnerability, send a POST request to the '/add/' endpoint with a URL and a config JSON field that includes the 'YTDLP_ARGS_EXTRA' key. This key can be used to inject commands that will be executed on the server via the yt-dlp tool. After the crawl runs, the injected command will be executed, demonstrating the remote code execution capability.