Apache bRPC: Remote Command Injection in Heap Profiler

# Root Cause Analysis - CVE-2025-60021

## Summary
Apache bRPC versions 1.11.0 through 1.14.x allow remote command injection via the built-in `/pprof/heap` endpoint when jemalloc profiling is enabled. The handler concatenates the user-controlled `extra_options` query parameter directly into a shell command used to invoke `jeprof`, and the command is executed through `popen`, allowing shell metacharacters to execute arbitrary commands.

## Impact
- **Component:** `src/brpc/details/jemalloc_profiler.cpp` (jemalloc heap profiler endpoint `/pprof/heap`)
- **Affected versions:** 1.11.0 to <1.15.0
- **Risk level:** Important — remote command execution as the service user, enabling data exfiltration and lateral movement.

## Root Cause
The heap profiler handler builds a command line for `jeprof` and appends the `extra_options` query parameter without validation:
- Vulnerable code (1.14.1): `cmd_str += " --" + *uri_extra_options + " ";`
- The command is executed via `butil::read_command_output`, which uses `popen()` (`/bin/sh -c`), so shell metacharacters in `extra_options` are interpreted.

The fix in 1.15.0 introduces a whitelist of allowed `extra_options` values and ignores unsupported inputs, preventing shell metacharacter injection. See PR https://github.com/apache/brpc/pull/3101.

## Reproduction Steps
1. Run `repro/reproduction_steps.sh`.
2. The script builds bRPC 1.14.1 and 1.15.0, starts the echo server with jemalloc profiling enabled, then issues crafted `/pprof/heap` requests.
3. Expected evidence: `uid=...` appears in `logs/vuln_response.txt` for 1.14.1 and is absent in `logs/fixed_response.txt` for 1.15.0.

## Evidence
- Vulnerable response (1.14.1): `logs/vuln_response.txt`
  - `uid=0(root) gid=0(root) groups=0(root)` (line 82)
- Fixed response (1.15.0): `logs/fixed_response.txt`
  - No `uid=` output present.
- Build and runtime logs:
  - `logs/echo_server_vuln.log`
  - `logs/echo_server_fixed.log`

Environment details:
- Ubuntu with system dependencies installed via `apt-get`.
- jemalloc enabled via `MALLOC_CONF=prof:true` and `LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2`.

## Recommendations / Next Steps
- Upgrade to bRPC 1.15.0 or apply the whitelist patch from PR #3101.
- Consider avoiding shell execution entirely (pass arguments directly to `execve` without shell) for any future tooling.
- Add regression tests for `/pprof/heap` to ensure only approved options are accepted.

## Additional Notes
- Idempotency verified: `repro/reproduction_steps.sh` executed twice successfully.
- The exploit only applies when jemalloc profiling is enabled and `/pprof/heap` is reachable.