DTStack Taier OS Command Injection Vulnerability in REST API Component

A critical stored injection vulnerability allowing remote code execution has been identified in DTStack Taier version 1.4.0. This issue arises in the REST API component, where user-supplied SQL text is improperly sanitized before being executed as operating system commands. The vulnerability exploitation involves injecting malicious commands through the 'sqlText' parameter, which is then executed via 'Runtime.exec()' with a 'sh -c' prefix.

Impact

Exploitation of this vulnerability allows for arbitrary operating system command execution on the server where DTStack Taier is running.

Reproduction

To reproduce this vulnerability, authenticate as a user with permissions to create tasks or jobs. Submit a request to the REST API endpoint that accepts the 'sqlText' parameter, including shell command injection payloads such as semicolons followed by commands (e.g., 'rm -rf /'). The injected commands will be executed when the stored SQL text is processed by the application.

Remediation

To address this vulnerability, implement input validation to reject shell metacharacters in the 'sqlText' parameter. Switch from 'Runtime.exec()' to 'ProcessBuilder' with explicit argument lists for command execution. Consider allowing only a predefined list of commands to be executed and ensure that processes are run with minimal operating system privileges.