Add direct command Injection vulnerability (CWE-77, OWASP API 8)

Is your feature request related to a problem? Please describe.
Currently, we can use crAPI to demonstrate indirect command injection but we also want to add capabilities to demonstrate direct command injection.

Describe the solution you'd like
@piyushroshan , can you guide us here for a solution?

Hello,
I am working on a solution for this,

Hello @piyushroshan @JBAhire ,
Can we use the api /identity/api/v2/user/videos/convert_video for exposing this vulnerability since it requires to run conversion command in bash ?

crAPI/services/identity/src/main/java/com/crapi/service/Impl/ProfileServiceImpl.java

Lines 241 to 242 in ea6625d

    
           return new CRAPIResponse( 
        
               bashCommand.executeBashCommand(profileVideo.getConversion_params()), 200);

Though I am not sure what command is passed there ⬆️ . Only params are being passed now:

crAPI/services/identity/src/main/java/com/crapi/entity/ProfileVideo.java

Line 31 in ea6625d

private String conversion_params = "-v codec h264";

While running on dev mode it kept saying "Failed to convert" since x-forwarded-host headers were missing.

crAPI/services/identity/src/main/java/com/crapi/service/Impl/ProfileServiceImpl.java

Lines 221 to 248 in ea6625d

    
           if (xForwardedHost == null) { 
        
             if (videoId != null && videoId > 0) { 
        
               Optional<ProfileVideo> optionalProfileVideo = profileVideoRepository.findById(videoId); 
        
               if (optionalProfileVideo.isPresent() && block_shell_injections) { 
        
                 profileVideo = optionalProfileVideo.get(); 
        
                 if (ProfileValidator.checkContains(profileVideo.getConversion_params())) { 
        
                   return new CRAPIResponse(UserMessage.CONVERSION_VIDEO_OK, 200); 
        
                 } else if (profileVideo.getConversion_params().equalsIgnoreCase("-v codec h264")) { 
        
                   return new CRAPIResponse(UserMessage.CONVERT_VIDEO_BASH_COMMAND_TRIGGERED, 200); 
        
                 } else if (!profileVideo.getConversion_params().equalsIgnoreCase("-v codec h264")) { 
        
                   if (ProfileValidator.checkSpecialCharacter(profileVideo.getConversion_params())) { 
        
                     return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500); 
        
                   } 
        
                   return new CRAPIResponse(UserMessage.YOU_WON_THE_GAME, 200); 
        
                 } 
        
                 return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500); 
        
               } else if (optionalProfileVideo.isPresent() 
        
                   && !block_shell_injections 
        
                   && optionalProfileVideo.get().getConversion_params() != null) { 
        
                 profileVideo = optionalProfileVideo.get(); 
        
                 return new CRAPIResponse( 
        
                     bashCommand.executeBashCommand(profileVideo.getConversion_params()), 200); 
        
               } 
        
               return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500); 
        
             } 
        
             return new CRAPIResponse(UserMessage.CONVERT_VIDEO_PARAM_IS_MISSING, 400); 
        
           } else { 
        
             return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_USE_ONLY, 403);

I am looking into this but if you have any pointers or other suggestions please guide.
Thanks!

That's the indirect command injection in crAPI. We can for sure enhance in that direction. Since this is get request maybe provide a query param as conversion param in the get request that can invoke the same pipeline

	return new CRAPIResponse(
	bashCommand.executeBashCommand(profileVideo.getConversion_params()), 200);

	if (xForwardedHost == null) {
	if (videoId != null && videoId > 0) {
	Optional<ProfileVideo> optionalProfileVideo = profileVideoRepository.findById(videoId);
	if (optionalProfileVideo.isPresent() && block_shell_injections) {
	profileVideo = optionalProfileVideo.get();
	if (ProfileValidator.checkContains(profileVideo.getConversion_params())) {
	return new CRAPIResponse(UserMessage.CONVERSION_VIDEO_OK, 200);
	} else if (profileVideo.getConversion_params().equalsIgnoreCase("-v codec h264")) {
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_BASH_COMMAND_TRIGGERED, 200);
	} else if (!profileVideo.getConversion_params().equalsIgnoreCase("-v codec h264")) {
	if (ProfileValidator.checkSpecialCharacter(profileVideo.getConversion_params())) {
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500);
	}
	return new CRAPIResponse(UserMessage.YOU_WON_THE_GAME, 200);
	}
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500);
	} else if (optionalProfileVideo.isPresent()
	&& !block_shell_injections
	&& optionalProfileVideo.get().getConversion_params() != null) {
	profileVideo = optionalProfileVideo.get();
	return new CRAPIResponse(
	bashCommand.executeBashCommand(profileVideo.getConversion_params()), 200);
	}
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_ERROR, 500);
	}
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_PARAM_IS_MISSING, 400);
	} else {
	return new CRAPIResponse(UserMessage.CONVERT_VIDEO_INTERNAL_USE_ONLY, 403);