[Security] [Bug] Unsafe deserialization is prone to RCE

[crazymanarmy]

https://github.com/PaddlePaddle/Serving/blob/bdf4ada65e40c9d8146b9aac14a8cf406d9ba37e/python/pipeline/operator.py#L1753

np_data = np.load(byte_data, allow_pickle=True) can trigger pickle deserialization

Tracing its call chain is as follows:

(paddle_serving_server/pipeline)
operator.py:1753 np_data = np.load(byte_data, allow_pickle=True)
operator.py:1763 unpack_request_package(self, request)
dag.py:799 unpack_func = op.unpack_request_package (in _build_dag)
dag.py:814 build(self)
dag.py:94 (in_channel, out_channel, pack_rpc_func,unpack_rpc_func) = self._dag.build()
dag.py:306 dictdata, log_id, prod_errcode, prod_errinfo = self._unpack_rpc_func(rpc_request)
dag.py:374 req_channeldata = self._pack_channeldata(rpc_request, data_id) (in call)
pipeline_server.py:73 resp = self._dag_executor.call(request)

It is speculated that Pickle deserialization can be triggered by constructing the tensor field in the request.

poc:

curl -X POST -k http://localhost:18082/uci/prediction -d '{"key": ["x"], "value": ["0.0137, -0.1136, 0.2553, -0.0692, 0.0582, -0.0727, -0.1583, -0.0584, 0.6283, 0.4919, 0.1856, 0.0795, -0.0332"],"tensors":[{name:"A",elem_type: "13",byte_data: payload,}]}'

The payload is generated by pickle.dumps

[github-actions[bot]]

Message that will be displayed on users' first issue