Skip to content

fix(transform_editor): escape output name to prevent code injection#182

Open
pabloinigoblasco wants to merge 2 commits into
mainfrom
fix/transform-editor-code-injection
Open

fix(transform_editor): escape output name to prevent code injection#182
pabloinigoblasco wants to merge 2 commits into
mainfrom
fix/transform-editor-code-injection

Conversation

@pabloinigoblasco

Copy link
Copy Markdown
Contributor

Summary

buildTransformScript concatenated the user-controlled id/name (the output-name field in Single mode, the suffix in Batch mode) unescaped into a double-quoted string literal of the generated Lua/Python script, which is then compiled and run. A name containing a quote closes the literal early and the rest is parsed as code: e.g. an output name of a"; import os; os.system("..."); z=" executes arbitrary code in the host process when the transform is created (Python backend; the Luau sandbox blocks os/io so its impact is bounded).

Add escapeForStringLiteral() and escape id/name (quote, backslash, newlines) before embedding them. buildTransformScript is the single script-generation point, so this covers both call sites (Single and Batch) and both backends. No behaviour change for normal names.

How it was tested

Reproduced with the Python backend: Transform Editor → Single, one input series, function return value, and the output name:

a"; import os; os.system("touch /tmp/pj_pwned"); z="

Ran the Python script exactly as generated by the plugin:

class T:
    name = "a"; import os; os.system("touch /tmp/pj_pwned"); z=""
    output = "double"
  • Without the fix: the literal is broken and os.system(...) runs → /tmp/pj_pwned is created (arbitrary code executed).
  • With the fix: the name is escaped → name = "a\"; import os; os.system(...)" → it stays an inert string → /tmp/pj_pwned is not created.

The transform is created in both cases; the difference is that with the fix the name is never executed.

Contents

  • toolbox_transform_editor/transform_editor_plugin.cpp: escapeForStringLiteral() helper + escape id/name in buildTransformScript for both Single and Batch modes.

pabloinigoblasco and others added 2 commits July 2, 2026 12:45
buildTransformScript concatenated the user-controlled id/name (the
output-name
field in Single mode, the suffix in Batch mode) unescaped into a
double-quoted
string literal of the generated Lua/Python script, which is then
compiled and
run. A name containing a quote closes the literal early and the rest
is parsed
as code: e.g. an output name of `a"; import os; os.system("...") ;
z="` executes
arbitrary code in the host process when the transform is created
(Python
  backend; the Luau sandbox blocks os/io so its impact is bounded).

Add escapeForStringLiteral() and escape id/name (quote, backslash,
newlines)
before embedding them. buildTransformScript is the single
script-generation
point, so this covers both call sites (Single and Batch) and both
backends. No
  behaviour change for normal names.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant