Potentially Malicious test in the testing suite
Summary
In foundry, ffi is used to call arbitrary commands. The foundry documentation states "It is generally advised to use this cheat code as a last resort, and to not enable it by default, as anyone who can change the tests of a project will be able to execute arbitrary commands on devices that run the tests."
The testing suite provided for this project includes a test called testPwned() which is uses the ffi command to create a file within the user's system.
Vulnerability Details
Here is the testPwned() function included in the file MerkleAirdropTest.t.sol :
function testPwned() public {
string[] memory cmds = new string[](2);
cmds[0] = "touch";
cmds[1] = string.concat("youve-been-pwned");
cheatCodes.ffi(cmds);
}
The test uses the ffi command to create a file called "youve-been-pwned" on the user's system.
Impact
The test is currently harmless, as all it does is create an empty file called "youve-been-pwned." However, ffi commands should not be included in the testing suite. The same commands can be used to perform malicious operations. For example, here is a foundry test which will read in all of the environment variables in a users directory. Such tests could be used to steal API keys since it is very common to use RPC providers when running tests of more complex protocols meant to be used in production.
function testStealKeys() public {
string[] memory cmds = new string[](2);
cmds[0] = "cat";
cmds[1] = ".env";
bytes memory res = cheatCodes.ffi(cmds);
console.log(string(res));
//make post request with the api key
}
Tools Used
Foundry
Recommendations
Delete testPwned() from MerkleAirdropTest.t.sol
Lead Judging Commences
ffi
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.