Fix vtysh shell-ingestion security issue (#7759)

xumia · web-flow · commit 5c503b81ae18 · 2021-06-28T09:57:08.000+08:00
Fix vtysh shell-ingestion security issue
Only expose the limited parameters of the command vtysh show.
diff --git a/files/image_config/sudoers/sudoers b/files/image_config/sudoers/sudoers
@@ -31,8 +31,10 @@ Cmnd_Alias      READ_ONLY_CMDS = /bin/cat /var/log/syslog*, \
                                  /usr/bin/sensors, \
                                  /usr/bin/tail -F /var/log/syslog, \
                                  /usr/bin/rvtysh *, \
-                                 /usr/bin/vtysh -c show *, \
-                                 /usr/bin/vtysh -n [0-9] -c show *, \
+                                 /usr/bin/vtysh -c show version, \
+                                 /usr/bin/vtysh -c show bgp ipv[46] summary json, \
+                                 /usr/bin/vtysh -n [0-9] -c show version, \
+                                 /usr/bin/vtysh -n [0-9] -c show bgp ipv[46] summary json, \
                                  /usr/local/bin/decode-syseeprom, \
                                  /usr/local/bin/generate_dump, \
                                  /usr/local/bin/ipintutil, \
