search

cs01 / pythonloc

drop-in Python replacement that imports packages from local directory (attempt at PEP 582 implementation)
MIT License
198 stars 14 forks source link

Untrusted arbitrary code execution? #11

Open seirl opened 5 years ago

seirl commented 5 years ago

Is this expected?

antoine@elune /tmp/tmp.ucyPsHjPcy/untrusted_code % cat /usr/bin/grep.py 
#!/usr/bin/env python3

import os
print('Running grep.')
antoine@elune /tmp/tmp.ucyPsHjPcy/untrusted_code % cat os.py    
print('MALICIOUS')
antoine@elune /tmp/tmp.ucyPsHjPcy/untrusted_code % pythonloc /usr/bin/grep.py 
MALICIOUS
Fatal Python error: initsite: Failed to import the site module
Traceback (most recent call last):
[...]
AttributeError: module 'os' has no attribute 'path'

It doesn't seem reasonable at all to me that running a random script installed on my system with pythonloc would override its libraries with potentially arbitrary code in the directory I'm running the script from.

seirl commented 5 years ago

The fix is just this:

diff --git a/pythonloc/pythonloc.py b/pythonloc/pythonloc.py             
index f5f77bf..913223f 100644
--- a/pythonloc/pythonloc.py
+++ b/pythonloc/pythonloc.py
@@ -27,7 +27,7 @@ def _get_pypackages_lib_path(script_path=None):
 def _get_env(script_path=None):
     env = dict(os.environ)
     env["PYTHONPATH"] = os.path.pathsep.join(
-        [".", _get_pypackages_lib_path(script_path)]
+        [_get_pypackages_lib_path(script_path)]
         + os.getenv("PYTHONPATH", "").split(os.path.pathsep)
     )
     return env