fix: prevent command injection in technique execution and malware retrieval

[tranquac]

Summary

Prevent command injection in technique execution and malware retrieval endpoints by validating user input.

Problem

1. Technique ID injection (line ~142-147)

The technique_id parameter from request.args.get('technique_id') is directly interpolated into a PowerShell command:

technique_id = request.args.get('technique_id')
powershell_command = f'"& {{... Invoke-AtomicTest {technique_id}}}"'
subprocess.run(['VBoxManage', ..., powershell_command], ...)

An attacker can inject arbitrary PowerShell commands: ?technique_id=T1059; Remove-Item -Recurse C:\

2. Malware family injection (line ~168-176)

The malwareFamily from request.json is passed to subprocess.Popen with shell=True after incomplete sanitization:

malware_family = malware_family.replace('"', '\"')...  # doesn't escape single quotes
command = f"sudo python3 ... '{malware_family}' > /dev/null 2>&1 & echo $!"
subprocess.Popen(command, shell=True, ...)

A malware_family containing '; rm -rf / # breaks out of the single quotes.

Fix

1. technique_id: Validate against ATT&CK format regex ^T\d{4}(\.\d{3})?$
2. malware_family: Replace incomplete manual escaping with shlex.quote() for proper shell escaping

Impact

• Type: Command Injection (CWE-78)
• Affected endpoints: Technique execution, malware retrieval
• Risk: Arbitrary command execution on the host and sandbox VM
• OWASP: A03:2021 — Injection