Skip to content

r2plugin: prevent command injection in signature fallback apply path#31

Open
trufae wants to merge 1 commit into
masterfrom
codex/fix-unsanitized-function-names-vulnerability
Open

r2plugin: prevent command injection in signature fallback apply path#31
trufae wants to merge 1 commit into
masterfrom
codex/fix-unsanitized-function-names-vulnerability

Conversation

@trufae

@trufae trufae commented Mar 17, 2026

Copy link
Copy Markdown
Collaborator

Motivation

  • The fallback write-back path executed r_core_cmdf_at(..., "afs %s", signature) with an inferred signature string that could include an unsanitized function name coming from untrusted binaries, enabling radare2 command injection via separators like ;, |, &, newlines, or !.

Description

  • Added signature_contains_cmd_separator() in r2plugin/r_anal_sleigh.c to detect dangerous separator characters in the signature string before executing the fallback command.
  • Updated apply_inferred_signature() to skip the r_core_cmdf_at fallback when a separator is detected, mark the apply result as failed, and write a descriptive reason instead of executing the unsafe command.
  • This change only hardens the fallback (command) path and preserves the existing API-first r_anal_str_to_fcn apply-and-verify flow and behavior when no unsafe characters are present.
  • Blocked separators: ;, |, &, \n, \r, and !.

Testing

  • Ran the unit test test_format_afs_signature via cargo test -p r2sleigh-plugin --features x86 test_format_afs_signature -- --nocapture, which compiled the workspace and passed (1 test passed).

Codex Task

@trufae

trufae commented Mar 17, 2026

Copy link
Copy Markdown
Collaborator Author

actually the right fix is just to prefix with a single quote the afs command. no need to filter all that. so pls take that into account and do the right fix by hand

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant