search

github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.41k stars 245 forks source link

[Python]: Add unsafe deserialization sinks #772

Closed maikypedia closed 1 year ago

maikypedia commented 1 year ago

Query PR

https://github.com/github/codeql/pull/13781

Language

Python

CVE(s) ID list

CWE

CWE-502: Deserialization Of Untrusted Data

Report

This covers pandas, numpy and joblib unsafe deserialization vulnerability, that happens when an attacker is able to inject data into the deserialization method leading to Remote Code Execution. Both numpy and joblib don't deserialize the input itself but the content of the file, like other libraries modeled for insecure deserialization, but it is worth alerting. In the case of pandas the input could be an attacker url containing the data to deserialize and that could lead to Remote Code Execution.

The dataflow configuration I used is the Unsafe Deserialization default, looking for RemoteFlowSource flowing to the deserialization of data by pandas, numpy and joblib. The sinks are pandas.read_pickle, numpy.load and joblib.load.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

ghsecuritylab commented 1 year ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 1 year ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 1 year ago

Your submission is now in status Pay.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 1 year ago

Created Hackerone report 2187446 for bounty 517313 : [772] [Python]: Add unsafe deserialization sinks

ghsecuritylab commented 1 year ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed