Version 3.5.30 has calls to shell_exec

  • Resolved Paul

    (@headwall)


    5 months ago

    Hi

    Version 3.5.30 has calls to shell_exec depends on monolog (composer), but this version has two calls to shell_exec(), so it’s raising alarms with our PHP malware scanners.

    • monolog/src/Monolog/Processor/GitProcessor.php
    • monolog/src/Monolog/Processor/MercurialProcessor.php

    Do you really need the “monolog” package, and its calls to shell_exec() ?

    We’ve put in a temporary patch at our end for now, but if you need shell_exec() in your plugin, we’ll need to put in long-term file exclusions in our PHP malware scanner rules (not ideal).

    Paul

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support aapc

    (@aapc)

    5 months ago

    Hi @headwall

    I’m glad you reached out. I have took a look at the code and confirmed your findings. So I checked with our developers and the monolog library was updated in the latest version of Kadence Blocks and the current version does indeed include two instance of shell_exec. Our developers have reached out to monolog to inquire about this change. We will let you know as soon as we hear back.

    Thanks for the heads up! Stay tuned!

    Best regards,
    Anthony

    Plugin Support aapc

    (@aapc)

    5 months ago

    Hi @headwall

    Thanks for your patience while I checked into this. As it turns out, the symfony library was in fact updated. The change however was mostly cosmetic. The two lines that are currently using shell_exec were previously using PHP’s backtick operator which is functionally equivalent. Since PHP backticks have been deprecated in PHP 8.5.0, the library now uses the shell_exec function instead. See the following PHP notice: https://www.php.net/manual/en/language.operators.execution.php

    That said, the library does not present any serious security concerns as no user input or variables are used in the commands. Therefore it would be safe to add these occurrences to any exceptions in your scanner.

    Please let me know if you have any questions or if I can do anything else to assist.

    Thanks!
    Anthony

    Thread Starter Paul

    (@headwall)

    5 months ago

    Thanks for taking the time to dig into this. Appreciated.

    I’ll have a think about whether we’ll continue to patch, or if we just add exceptions to our PHP file scanner.

    Cheers!
    Paul

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

  • 3 replies
  • 2 participants
  • Last reply from: Paul
  • Last activity: 5 months ago
  • Status: resolved