Bash Command Injection


I was just wondering where to report a problem with the bash sandbox, the right syntax is not very hard to find, but I probably shouldn’t post it publicly anyways =)

Although the environment bash is running in is pretty bare (not much in /bin/ and /usr/bin/), it still seems to have unrestricted Internet access from an EC2 virtual machine, so someone could pretty easily upload their own binary and try to mine bitcoin through your AWS account, or who knows what else.

Here’s a HTTP request I sent to with bash’s /dev/tcp to show that the bash process has network access:

HTTP/1.1 200 OK
access-control-allow-origin: *
content-type: text/plain; charset=utf-8
Content-Length: 11
date: Fri, 28 May 2021 22:24:20 GMT
x-envoy-upstream-service-time: 1
Via: 1.1 google

I’ll be happy to communicate the details so that this gets fixed :slight_smile:

Hi Tux3!

We very much appreciate you communicating this to us. The problem should be fixed.
If you still see issues, please let us know.

1 Like