Merge pull request #233 from AikidoSec/main

Merge main

Author: teta2k

.vscode/launch.json

@@ -1,20 +1,59 @@
 {
-  "version": "0.2.0",
-  "configurations": [
-    {
-      "name": "Debug DotNetCore.Sample.App",
-      "type": "coreclr",
-      "request": "launch",
-      "preLaunchTask": "build DotNetCore.Sample.App",
-      "program": "${workspaceFolder}/sample-apps/DotNetCore.Sample.App/bin/Debug/net10.0/DotNetCore.Sample.App.dll",
-      "args": [],
-      "cwd": "${workspaceFolder}/sample-apps/DotNetCore.Sample.App",
-      "stopAtEntry": false,
-      "console": "integratedTerminal",
-      "env": {
-        "ASPNETCORE_ENVIRONMENT": "Development",
-        "DOTNET_ENVIRONMENT": "Development"
-      }
-    }
-  ]
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Attach vsdbg ssh",
+            "type": "coreclr",
+            "request": "attach",
+            "pipeTransport": {
+                "pipeCwd": "${workspaceFolder}",
+                "pipeProgram": "/usr/bin/ssh",
+                "pipeArgs": [
+                    "-p",
+                    "10022",
+                    "root@localhost"
+                ],
+                "debuggerPath": "/vsdbg/vsdbg"
+            },
+            "requireExactSource": false,
+            "justMyCode": false
+        },
+        {
+            "name": "Attach .NET (pick process)",
+            "type": "coreclr",
+            "request": "attach",
+            "processId": "${command:pickProcess}",
+            "justMyCode": false
+        },
+        {
+            "name": "Launch DotNetCore.Sample.App",
+            "type": "coreclr",
+            "request": "launch",
+            "preLaunchTask": "build DotNetCore.Sample.App",
+            "program": "${workspaceFolder}/sample-apps/DotNetCore.Sample.App/bin/Debug/net10.0/DotNetCore.Sample.App.dll",
+            "args": [],
+            "cwd": "${workspaceFolder}/sample-apps/DotNetCore.Sample.App",
+            "stopAtEntry": false,
+            "console": "integratedTerminal",
+            "env": {
+                "ASPNETCORE_ENVIRONMENT": "Development",
+                "DOTNET_ENVIRONMENT": "Development"
+            }
+        },
+        {
+            "name": "Launch UmbracoSampleApp",
+            "type": "coreclr",
+            "request": "launch",
+            "preLaunchTask": "build UmbracoSampleApp",
+            "program": "${workspaceFolder}/e2e/sample-apps/UmbracoSampleApp/bin/Debug/net10.0/UmbracoSampleApp.dll",
+            "args": [],
+            "cwd": "${workspaceFolder}/e2e/sample-apps/UmbracoSampleApp",
+            "stopAtEntry": false,
+            "console": "integratedTerminal",
+            "env": {
+                "ASPNETCORE_ENVIRONMENT": "Development",
+                "DOTNET_ENVIRONMENT": "Development"
+            }
+        }
+    ]
 }

.vscode/tasks.json

@@ -14,6 +14,16 @@
         "kind": "build",
         "isDefault": true
       }
+    },
+    {
+      "label": "build UmbracoSampleApp",
+      "type": "process",
+      "command": "dotnet",
+      "args": [
+        "build",
+        "${workspaceFolder}/e2e/sample-apps/UmbracoSampleApp/UmbracoSampleApp.csproj"
+      ],
+      "problemMatcher": "$msCompile"
     }
   ]
 }

Aikido.Zen.Core/Helpers/HttpHelper.cs

@@ -84,6 +84,9 @@ public static async Task<HttpDataResult> ReadAndFlattenHttpDataAsync(
                 LogHelper.ErrorLog(Agent.Logger, $"caught error while parsing body: {e.Message}");
             }
 
+            // Decode percent-encoded values
+            UserInputHelper.DecodeUriValues(result);
+
             return new HttpDataResult
             {
                 FlattenedData = result,

Aikido.Zen.Core/Helpers/UserInputHelper.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using Aikido.Zen.Core.Models;
 using Microsoft.Net.Http.Headers;
 
@@ -10,6 +11,25 @@ namespace Aikido.Zen.Core.Helpers
     /// </summary>
     public static class UserInputHelper
     {
+        private const int MaxDecodeUriPasses = 2;
+
+        /// <summary>
+        /// Decodes percent-encoded values in place (e.g. who%61mi => whoami).
+        /// </summary>
+        /// <param name="values">Dictionary containing user input values.</param>
+        public static void DecodeUriValues(IDictionary<string, string> values)
+        {
+            if (values == null || values.Count == 0)
+            {
+                return;
+            }
+
+            foreach (var key in values.Keys.ToList())
+            {
+                values[key] = DecodeUriComponent(values[key]);
+            }
+        }
+
         /// <summary>
         /// Extracts the source of the user input from the path.
         /// </summary>
@@ -107,5 +127,28 @@ public static bool IsMultipart(string contentType, out string boundary)
             boundary = parsedContentType.Boundary.Value;
             return isMultipart;
         }
+
+        private static string DecodeUriComponent(string input)
+        {
+            string decoded = input;
+
+            if (string.IsNullOrEmpty(input))
+            {
+                return decoded;
+            }
+
+            for (int i = 0; i < MaxDecodeUriPasses; i++)
+            {
+                string next = Uri.UnescapeDataString(decoded);
+                if (next == decoded)
+                {
+                    break;
+                }
+
+                decoded = next;
+            }
+
+            return decoded;
+        }
     }
 }

Aikido.Zen.Core/Vulnerabilities/ShellInjectionDetector.cs

@@ -16,7 +16,7 @@ public class ShellInjectionDetector
         private static readonly char[] separators = { ' ', '\t', '\n', ';', '&', '|', '(', ')', '<', '>' };
 
         // Define dangerous characters and commands as static fields
-        private static readonly char[] dangerousChars = { '#', '!', '"', '$', '&', '\'', '(', ')', '*', ';', '<', '=', '>', '?', '[', '\\', ']', '^', '`', '{', '|', '}', ' ', '\n', '\t', '~', '%' };
+        private static readonly char[] dangerousChars = { '#', '!', '"', '$', '&', '\'', '(', ')', '*', ';', '<', '=', '>', '?', '[', '\\', ']', '^', '`', '{', '|', '}', ' ', '\n', '\t', '~' };
         private static readonly string[] dangerousCommands = { "sleep", "shutdown", "reboot", "poweroff", "halt", "ifconfig", "chmod", "chown", "ping", "ssh", "scp", "curl", "wget", "telnet", "kill", "killall", "rm", "mv", "cp", "touch", "echo", "cat", "head", "tail", "grep", "find", "awk", "sed", "sort", "uniq", "wc", "ls", "env", "ps", "who", "whoami", "id", "w", "df", "du", "pwd", "uname", "hostname", "netstat", "passwd", "arch", "printenv", "logname", "pstree", "hostnamectl", "set", "lsattr", "killall5", "dmesg", "history", "free", "uptime", "finger", "top", "shopt", ":" };
         private static readonly char[] dangerousCharsInsideDoubleQuotes = { '$', '`', '\\', '!' };
 

Aikido.Zen.Test/HttpHelperTests.cs

@@ -104,6 +104,44 @@ private class TestCase
             public object ExpectedParsedBody { get; set; }
         }
 
+        [Test]
+        public async Task ReadAndFlattenHttpDataAsync_ShouldDecodePercentEncodedUserInputValues()
+        {
+            // Arrange
+            var routeParams = new Dictionary<string, string> { { "command", "who%61mi" } };
+            var queryParams = new Dictionary<string, string> {
+                { "path", "%2e%2e%2fetc%2fpasswd" },
+                { "emoji", "%F0%9F%98%80" },
+                { "double", "%2577%2568%256f%2561%256d%2569" },
+                { "invalid", "%E0%A4%A" }
+            };
+            var headers = new Dictionary<string, string> { { "X-Custom", "a+b%2Bc" } };
+            var cookies = new Dictionary<string, string> { { "session", "abc%31%32%33" } };
+            const string body = "{\"cmd\":\"who%61mi\",\"literal\":\"a+b\"}";
+            using var bodyStream = new MemoryStream(Encoding.UTF8.GetBytes(body));
+
+            // Act
+            var result = await HttpHelper.ReadAndFlattenHttpDataAsync(
+                routeParams,
+                queryParams,
+                headers,
+                cookies,
+                bodyStream,
+                "application/json",
+                bodyStream.Length);
+
+            // Assert
+            Assert.That(result.FlattenedData["route.command"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData["query.path"], Is.EqualTo("../etc/passwd"));
+            Assert.That(result.FlattenedData["query.emoji"], Is.EqualTo("\U0001F600"));
+            Assert.That(result.FlattenedData["query.double"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData["query.invalid"], Is.EqualTo("%E0%A4%A"));
+            Assert.That(result.FlattenedData["headers.X-Custom"], Is.EqualTo("a+b+c"));
+            Assert.That(result.FlattenedData["cookies.session"], Is.EqualTo("abc123"));
+            Assert.That(result.FlattenedData["body.cmd"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData["body.literal"], Is.EqualTo("a+b"));
+        }
+
         [Test]
         public void ToJsonObj_ShouldHandleTrueFalseNull()
         {

sample-apps/DotNetCore.Sample.App/Controllers/ShellInjectionController.cs

@@ -1,8 +1,10 @@
+using System;
 using System.Diagnostics;
 using System.Runtime.InteropServices;
 using System.Text;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
+using DotNetCore.Sample.App.Models;
 
 namespace DotNetCore.Sample.App.Controllers
 {
@@ -14,6 +16,8 @@ namespace DotNetCore.Sample.App.Controllers
     [Route("shell-injection")]
     public class ShellInjectionController : ControllerBase
     {
+        private const int MaxDecodeUriPasses = 2;
+
         /// <summary>
         /// Executes a shell command provided in the 'cmd' query parameter.
         /// On Windows, it attempts to use WSL via 'cmd.exe /c wsl'.
@@ -48,8 +52,23 @@ public async Task<IActionResult> ExecuteRouteCommand(string command)
             return await ExecuteCommandInternal(command);
         }
 
+        [HttpPost("/api/execute")]
+        public async Task<IActionResult> ExecuteCommandPost([FromBody] CommandRequest request)
+        {
+            var command = request.UserCommand;
+
+            if (string.IsNullOrEmpty(command))
+            {
+                return BadRequest("Command is required");
+            }
+
+            return await ExecuteCommandInternal(command);
+        }
+
         private async Task<IActionResult> ExecuteCommandInternal(string command)
         {
+            command = DecodeUriComponent(command);
+
             var processStartInfo = new ProcessStartInfo
             {
                 RedirectStandardOutput = true,
@@ -133,5 +152,28 @@ private async Task<IActionResult> ExecuteCommandInternal(string command)
                 return BadRequest($"Error executing command: {ex.Message}\nStackTrace:{ex.StackTrace}");
             }
         }
+
+        private static string DecodeUriComponent(string input)
+        {
+            string decoded = input;
+
+            if (string.IsNullOrEmpty(input))
+            {
+                return decoded;
+            }
+
+            for (int i = 0; i < MaxDecodeUriPasses; i++)
+            {
+                string next = Uri.UnescapeDataString(decoded);
+                if (next == decoded)
+                {
+                    break;
+                }
+
+                decoded = next;
+            }
+
+            return decoded;
+        }
     }
 }

sample-apps/DotNetCore.Sample.App/Models/Requests.cs

@@ -0,0 +1,7 @@
+namespace DotNetCore.Sample.App.Models
+{
+    public class CommandRequest
+    {
+        public string? UserCommand { get; set; }
+    }
+}

sample-apps/DotNetFramework.Sample.App/Controllers/ShellInjectionController.cs

@@ -16,6 +16,8 @@ namespace DotNetFramework.Sample.App.Controllers
     [RoutePrefix("api/shell-injection")]
     public class ShellInjectionController : ApiController
     {
+        private const int MaxDecodeUriPasses = 2;
+
         /// <summary>
         /// Executes a shell command provided in the 'cmd' query parameter.
         /// On Windows, it attempts to use WSL via 'cmd.exe /c wsl'.
@@ -32,6 +34,8 @@ public async Task<IHttpActionResult> ExecuteCommand()
                 return BadRequest("Command parameter 'cmd' is required.");
             }
 
+            command = DecodeUriComponent(command);
+
             var processStartInfo = new ProcessStartInfo
             {
                 RedirectStandardOutput = true,
@@ -93,5 +97,28 @@ public async Task<IHttpActionResult> ExecuteCommand()
                 return BadRequest($"Error executing command: {ex.Message} StackTrace:{ex.StackTrace}");
             }
         }
+
+        private static string DecodeUriComponent(string input)
+        {
+            string decoded = input;
+
+            if (string.IsNullOrEmpty(input))
+            {
+                return decoded;
+            }
+
+            for (int i = 0; i < MaxDecodeUriPasses; i++)
+            {
+                string next = Uri.UnescapeDataString(decoded);
+                if (next == decoded)
+                {
+                    break;
+                }
+
+                decoded = next;
+            }
+
+            return decoded;
+        }
     }
 }