video-analytics-service code injection vulnerability
cgdougla opened this issue · 2 comments
In the requests sent to the video-analytics-service, there is string replacement for the parameters into the executed pipeline. By closing the quote with " for that parameter, the request could then contain other GStreamer elements in the case of a GStreamer pipeline or bash commands in the case of FFmpeg.
Upon further inspection, This seems to be more difficult on the FFmpeg side. The function used to spawn the subprocess takes the first index in the list of arguments as the executable. This is always 'ffmpeg'. Any other fields after that are considered parameters to this executable and will error and not execute. Still, it can have GStreamer elements added to the pipeline and FFmpeg parameters changed. Further input validation is needed.