engineer-man / piston-bot

I Run Code bot on Discord
https://emkc.org/run
MIT License
244 stars 36 forks source link

Safety concerns #34

Closed adrian-goe closed 3 years ago

adrian-goe commented 3 years ago

Hi, I found the bot on a server and had to try a bit. Apparently you can do everything without any problems. Things like conosle.log(process.env) are relatively harmless. Should that be executed?

When running the following code, there is no response, which leads me to believe that things are possible that shouldn't necessarily be possible. /run python

import os
os.system("sudo shutdown")

or this command returns all processes /run python

import os
os.system("ps -aux | less")

So there could be attacks. I have not tested curl with execution Maybe you should have a look at it

dev-null-undefined commented 3 years ago

The user under which the code is running does not have permission to do any harm to the server there have been a few outbreaks but those have been fixed and currently, there is no known way how to destroy or stop the runner. Also, the code is running inside a container (lxc) so even if there would be a potential outbreak unless you find a way how to get out of container lxc which would be a huge bug, there is no way to get to the host PC which means that the maximum you can do is destroy the runner. EM has invited everyone to try and break the bot and so far as I know there was 1 big bug that has been fixed by that, if you find a new one you can join us on Discord server and show us what you have.