Crabbox Environment Variable Exposure Vulnerability Allowing Secret Forwarding into Remote Command Execution

A vulnerability exists in Crabbox versions prior to 0.12.0, allowing for the exposure of environment variables. This issue enables attackers with access to a compromised repository to forward local secrets, such as API tokens and cloud credentials, into the remote command environment. The vulnerability arises from overly permissive environment variable allowlisting in repository-specific Crabbox configurations, which can serialize sensitive data into remote command executions, thereby exposing credentials in the remote environment.

Impact

Exploitation of this vulnerability allows for improper control of code generation, potentially leading to code injection attacks.

Reproduction

The vulnerability can be reproduced by creating a repository-local Crabbox configuration file that allows all environment variables to be forwarded to remote commands. This can be done by setting the 'env.allow' option to a bare wildcard. Once this configuration is in place, any local environment variables containing sensitive information, such as API tokens, will be forwarded to the remote command execution environment, exposing these secrets.

Remediation

Users can update to Crabbox version 0.13.0 or later, where this vulnerability has been fixed.