Security Fix for Arbitrary Code Execution - huntr.dev #637
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixed Arbitrary Code execution in petastorm
|
|
|
@d3m0n-r00t - are you able to sign the CLA? Cheers! 🍰 |
selitvin
added a commit
to selitvin/petastorm
that referenced
this pull request
Jan 23, 2021
Based on uber#637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
selitvin
added a commit
to selitvin/petastorm
that referenced
this pull request
Jan 23, 2021
Based on uber#637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
|
Thanks for the proposed fix. I created #640 which properly fixes the issue in the context of petastorm (this PR would not pass unit tests) |
selitvin
requested changes
Jan 29, 2021
| @@ -43,5 +69,5 @@ def depickle_legacy_package_name_compatible(pickled_string): | |||
| 'Regenerate metadata.', legacy_package_name, legacy_module, legacy_module) | |||
|
|
|||
| pickled_string = modified_pickled_string | |||
|
|
|||
| restricted_loads(pickled_string) | |||
There was a problem hiding this comment.
We are ignoring the return value here. Also, the implementation fails the tests. Started #640 to resolve test issues.
selitvin
added a commit
to selitvin/petastorm
that referenced
this pull request
Jul 25, 2021
Based on uber#637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
selitvin
added a commit
to selitvin/petastorm
that referenced
this pull request
Jul 25, 2021
Based on uber#637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
selitvin
added a commit
that referenced
this pull request
Jul 26, 2021
Based on #637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
selitvin
added a commit
to selitvin/petastorm
that referenced
this pull request
Jul 26, 2021
Based on uber#637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
selitvin
added a commit
to selitvin/petastorm
that referenced
this pull request
Jul 26, 2021
Based on uber#637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
selitvin
added a commit
that referenced
this pull request
Jul 26, 2021
Based on #637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
selitvin
added a commit
that referenced
this pull request
Jul 28, 2021
Based on #637: whitelists a set of packages which classes can be unpickled. Prevents unpickling a malicious class that may invoke os.execute or a similar command.
|
Fixed by #640. Closing this PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/d3m0n-r00t has fixed the Arbitrary Code Execution vulnerability 🔨. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/petastorm/1/README.md
User Comments:
📊 Metadata *
Fixed Arbitrary code execution in
petastormBounty URL: https://www.huntr.dev/bounties/1-pip-petastorm/
⚙️ Description *
Petastormis an open source data access library developed at Uber ATG. This library enables single machine or distributed training and evaluation of deep learning models directly from datasets in Apache Parquet format. Petastorm supports popular Python-based machine learning (ML) frameworks such as Tensorflow, PyTorch, and PySpark. It can also be used from pure Python code.Vulnerability descriptionuntrusted loading of data by thepickle.loadfunction leading toArbitrary code execution.💻 Technical Description *
The function
depickle_legacy_package_name_compatible()blindly loads a pickle file without any validation making it vulnerable toArbitrary Code Execution. If the input pickle file is a malicious payload, create a file remotely.🐛 Proof of Concept (PoC) *
🔥 Proof of Fix (PoF) *
Fix when subprocess is called.
👍 User Acceptance Testing (UAT)
Applied fix from pickle official fix as explained in here.
https://www.cmi.ac.in/~madhavan/courses/python-2014/docs/python-3.2.1-docs-html/library/pickle.html
Proper working. (Something other than a payload).