Shell injection attack on AdminUIHandler #2
Description
The code in question is https://github.com/dataflow/DataStage/blob/master/src/AdminUIHandler/services/AdminUIHandler.py#L155, lines 155 through 166. The variable remoteUser is pulled out of the HTTP Authorization header (L159), and then transcluded verbatim into commandString (L163). This is then passed to subprocess.Popen(.., shell=True) (L166) which executes commandString in a shell.
It would be trivial to craft an Authorization header (e.g. b64encoding "'; rm -rf / #:") to execute arbitrary commands on the server. It's also worth noting that remotPasswd is not used for any kind of authorization, so this attack is also available to untrusted users.