XML Injection via SC1_CFG in config.sh Causes Malformed Mission XML and Configuration DoS #841
Description
Description
Define the problem
scripts/cfg/config.sh inserts user-controlled SC1_CFG directly into via sed substitution,
without XML escaping.
If SC1_CFG includes XML metacharacters (for example < or &), the generated mission XML becomes
malformed and configure.py fails to parse it.
Relevant code:
- config.sh:21
- config.sh:32:32
- configure.py:21:21
- Makefile:142:142
Capture the setup
- Branch: main
- Git hash: 4428de5
- Configuration changes:
- Created test file: cfg/spacecraft/sc-mission-config.xml<&evil>.xml
- Ran scripts/cfg/config.sh with SC1_CFG='spacecraft/sc-mission-config.xml<&evil>.xml'
- No persistent source/config changes were required
Steps to recreate
- Create a file with XML metacharacters in the filename:
printf '%s\n' '' > 'cfg/spacecraft/sc-mission-config.xml<&evil>.xml'
- Execute config workflow with override:
SC1_CFG='spacecraft/sc-mission-config.xml<&evil>.xml' bash scripts/cfg/config.sh
- Inspect generated mission file and parse result:
python3 - <<'PY'
from pathlib import Path
import xml.etree.ElementTree as ET
p=Path('cfg/build/current_config_path.txt').read_text().strip()
print('generated=', p)
xml=Path(p).read_text(encoding='utf-8',errors='ignore')
for line in xml.splitlines():
if '<sc-1-cfg>' in line:
print('line=', line)
break
try:
ET.parse(p)
print('parse=OK')
except Exception as e:
print('parse=FAIL', type(e).__name__, str(e))
PY
Logs or screenshots
Observed output:
- Overriding <sc-1-cfg> with: spacecraft/sc-mission-config.xml<&evil>.xml
- Corrupted <sc-1-cfg> line in generated XML
- parse=FAIL ParseError not well-formed (invalid token)
Impact
This is reliably triggerable denial of service in the configuration pipeline (make config path). It
breaks mission config generation and can block automated build/startup workflows where SC1_CFG is
externally controlled.
OS
No response