Injection attack possibility in kafka.py.

[k-wall]

Currently this library doesn't guard against the injection attacks. For instance, a malicious user could pass in a specially crafted kafka instance name or topic name (containing a white space) to cause undesired execution effects. Best practice tells us we should always code to avoid this possibility.

Building the cmd arrays explicitly, rather than splitting on whitespace, would be one possible resolution.

managed-scripts/scripts/CSSRE/lib/py/kafka.py

Line 91 in 3211e57

cmd = "-i statefulset/"+kafka+"-kafka -c kafka -- env - bin/kafka-topics.sh --bootstrap-server localhost:9096 --describe "

@robshelly

[feichashao]

Thank you for raising the issue! Given the PR is merged, are we good to close this issue?

[robshelly]

Yes this can be closed now. Thanks for pointing out the issue @k-wall.

[Nanyte25]

@k-wall can we close this issue now as the pr has been merged