Fix: Command Execution/Runner Features #5199
Description
The implementation of the Command Execution functionality has been shown to be faulty over and over again. Not only is the implementation faulty, but there are several known security vulnerabilities that can be used to exploit this feature. If a malicious actor gets access to a user that has the ability to run commands, this faults could be exploited.
Related Issues
- Is is possible to disable running commands? #3638
- xmrig injection #3646
- Security issue: Docker container tries to execute file from shady external domain #3864
- Add environment variable to disable the feature "running commands from filebrowser CLI" #4893
Known Security Vulnerabilities
Decision
The feature needs a complete overhaul, rewrite and hardening in order to fix all the existing issues and make it bullet proof. As a consequence of the maintenance-mode of this project, none of us has enough time to dedicate to completely overhaul this feature. We also understand that deleting the feature is not desirable for some that rely on it in personal single-use instances.
We decided to disable this feature by default and for current installations, and we recommend against its usage, unless you fully understand the security risks involved. It can be re-activated by using the --disable-exec=false flag or FB_DISABLE_EXEC=false environment variable.