Code injection via device inventory?

Good Day, Friends!

I’m working on an mender artifact that will extend the device inventory. It is a more general question about security because I do not understand the implications.

Via --type script update module I have create an inventory file on the fly.

# realpath mender-inventory-basic-info 
# cat /usr/share/mender/inventory/mender-inventory-basic-info
echo 'uptime'=$(uptime -p)
echo 'uptime_date'=$(uptime -s)

Our devices are not temper proof and can be modified by the “customer” as they please.

  1. To which risks is the mender backend exposed in such a case?
  2. Is it possible to perform code injection with device inventory info?
    Assume the customer modified the device inventory in such a way that it will produce malicious mongodb queries that will attack the backend. How realistic is this?

It is a more theoretical discussion.

Hi @mister_kanister,

Interesting question! Thinking a bit about it, the question expands to: “what if an attacker controls an authenticated device?”. As far as I know, at some point API throttling will occur, but maybe @kjaskiewiczz can share some more information.