[Security] Bash Command Execution Vulnerability #175
Description
The ability to run bash commands through the UI is a huge security risk. That functionality should be disabled by default and only enabled if the developer sets that explicitly. They also should be warned about the security risk if they choose to enable it.
For example, any user that have access to the command runner can run cat .env and access all secrets. Practically any user with enough technical knowledge can use this to do anything they want with the application.
Also, disabling the bash command through 'custom_commands' => ['artisan'] doesn't prevent the bash command from running; it only removes the option from the form. If the request is sent manually, it'll still run. That also needs to be prevented. You can test by:
- Enable the bash commands
- Enter a command in the UI but do not run it yet
- Disable the bash commands from the configuration
- Switch to the UI and click run
The command runs successfully.