Description

Budibase: Command Injection in Bash Automation Step Location: packages/server/src/automations/steps/bash.ts

Description

The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution.

Code Reference

    const command = processStringSync(inputs.code, context)

    let stdout,
      success = true
    try {
      stdout = execSync(command, {
        timeout: environment.QUERY_THREAD_TIMEOUT,
      }).toString()...
Show more

Attack Vector

An attacker with access to create or modify automations can inject malicious shell commands by including template syntax that evaluates to command injection payloads (e.g., $(rm -rf /), ; malicious-command, | malicious-command).

Impact

Remote code execution (RCE)

Complete system compromise

Data exfiltration

Lateral movement within the infrastructure

Recommendation

Immediate: Disable bash automation step in production until fixed

Implement a whitelist of allowed commands

Use parameterized command execution with proper escaping

Implement command argument validation

Consider using a restricted shell or command sandboxing

Add rate limiting and monitoring for command execution

Example Fix

import { spawn } from "child_process"

// Validate against whitelist
const ALLOWED_COMMANDS = ["echo", "date", "pwd"] // Extend as needed

function sanitizeCommand(input: string): string {
  // Remove dangerous characters and command chaining
  return input.replace(/[;&|`$(){}[\]]/g, "").trim()...
Show more

Mitigation

Aliases

References