nova-tinker-tool icon indicating copy to clipboard operation
nova-tinker-tool copied to clipboard
verified publisher icon beyondcode

Security: Remote code execution vulnerability

Open 95jonpet opened this issue 7 years ago • 1 comments

Running tinker allows arbitrary code to be executed. This is very dangerous.

Any executed php code will have the same access as the running php instance. This means that the running application may be altered, and if run with root privileges, one can get complete control of the machine.

This can be solved by:

  1. Notifying users of this in a readme file.
  2. Only allowing tinker to be run locally - env is set to local

95jonpet avatar Aug 22 '18 17:08 95jonpet

You can do that on NovaServiceProvider:

    public function tools()
    {
        return [    
            (new \Beyondcode\TinkerTool\Tinker)->canSee(function ($request) {
                env('APP_ENV') == 'local';
            })
        ];
    }

chbbc avatar Dec 21 '18 12:12 chbbc