Python: Add Code Injection Sinks for Pandas

github / securitylab

Resources related to GitHub Security Lab

https://securitylab.github.com

MIT License

1.35k stars 242 forks source link

Python: Add Code Injection Sinks for Pandas #814

Closed R3x closed 5 months ago

R3x commented 5 months ago

Query PR

https://github.com/github/codeql/pull/15314

Language

Python

CVE(s) ID list

CVE-2023-46134

CWE

CWE-094

Report

1/2. Pandas has a function to query the columns of a Pandas DataFrame with a boolean expression. However, this function allows to refer to variables in the environment by prefixing them with an ‘@’ character like @a + b. This can be exploited to call Python functions if untrusted user input is passed. Example: https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes#other-libraries-that-allow-to-eval-python-code

Sources would be any remote untrusted input, for example - parameters from a flask request.
We didn't add any additional sanitizers

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

[X] Yes
[ ] No

Blog post link

No response

ghsecuritylab commented 5 months ago

Your submission is now in status Test run.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 5 months ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 5 months ago

Hello @R3x

Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined this query is not eligible for a reward under the Bug Bounty program for the following reasons:

It doesn't meet the minimum complexity requirements:

To be eligible for a bounty, queries must be non-trivial, and meet a minimum complexity requirement. More concretely, queries that simply look for one or two AST elements, or that could be easily implemented with a linter or simple grep, may not be considered interesting enough for a bounty (A good way to ensure that your queries meet this requirement is to ensure it uses some more advanced analysis, like data-flow or control-flow).

If you see a way of supporting additional Python libraries with code injection sinks you might try to bundle them with this addition and create a new submission which might be eligible for a reward.

Best regards and happy hacking!

ghsecuritylab commented 5 months ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed