fix the qhelp of secondary server cmd injectino

2026-04-26 01:05:15 +02:00 · 2024-05-29 16:00:06 +02:00
parent 66cba89fdb
commit 5299c4a845
1 changed files with 4 additions and 1 deletions
--- a/python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-074/secondaryCommandInjection/SecondaryServerCmdInjection.qhelp
@@ -2,7 +2,10 @@
 <qhelp>
    <overview>
        <p>
-            Running user-controlled values into a secondary remote servers without proper authorization can allow an attacker to inject arbitrary command in the secondary remote servers from within your primary remote servers.
+            Allowing users to execute arbitrary commands using an SSH connection on a secondary server can lead to security issues unless you implement proper authorization.
+        </p>
+        <p>
+            Assume that you connect to a secondary system via SSH connection from your main or local server that accepts user-controlled data and has interaction with users that you don't trust, passing these data to SSH API as a part of a command that will be executed on a secondary remote server can lead to security issues. You should consider proper authorization rules very carefully.
        </p>
    </overview>
    <recommendation>