Skip to content

[Security] Command Injection via _linkgo| -> Process.Start + PostMessage without origin check #1

Description

@lkaliturin220-svg

Security Report: BusEngine

Hi! I ran an automated security audit on the BusEngine repo and found a few potential vulnerabilities. Thanks for the awesome engine!


HIGH: Arbitrary Process Execution via _linkgo| message

Files:

  • BusEngine/Code/Plugin/Program.cs:151
  • BusEngine/Templates/cs/Launcher/Code/Plugin/Program.cs:132
} else if (t == "_linkgo|") {
    System.Diagnostics.Process.Start(message.Substring(8));
}

Issue: message.Substring(8) is passed directly to Process.Start() with no validation. If an attacker can control the message content (e.g. via XSS in WebView or a malicious page in the CEF browser), they can launch arbitrary executables on the user's machine.

Fix: Validate the URL — only allow https:// and http:// schemes:

if (Uri.TryCreate(message.Substring(8), UriKind.Absolute, out var uri) &&
    (uri.Scheme == "https" || uri.Scheme == "http")) {
    System.Diagnostics.Process.Start(uri.AbsoluteUri);
}

HIGH: PostMessage Listener Without Origin Validation

File: docs/Scripts/BusEngine/bus_app.js:1261

window.navigator.serviceWorker.addEventListener('message', function(event) {
    // NO event.origin check!
    ...
});

Fix: Add origin check:

window.navigator.serviceWorker.addEventListener('message', function(event) {
    if (event.origin !== 'https://busengine.buslikdrev.by') return;
    ...
});

MEDIUM: innerHTML XSS Risk

File: docs/Scripts/BusEngine/bus_app.js (multiple lines)

blockSelect.innerHTML = data;  // unsanitized server data!

Fix: Use textContent where possible, or DOMPurify + add CSP header.


LOW

  • Process.Start("Url") — dead placeholder in Plugin/Program.cs:90
  • Commented-out file_put_contents in busengine.php
  • HTTP links in docs

Clean

  • No hardcoded tokens/passwords
  • No disabled SSL validation
  • Clean App.config files

CVSS (RCE): ~8.4 (HIGH)
Overall risk: MODERATE

Full audit report available upon request. Thanks for the project!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions