A multi-cloud framework for big data analytics and embarrassingly parallel jobs, that provides an universal API for building parallel applications in the cloud ☁️🚀
Code injection could happen via environment variable.
In code here, it directly eval the value from environment variable. A malicous local actor could set something like export WARM_CONTAINER='os.system("touch rickroll")' to execute arbitrary commands. It would be better to use ast.literal_eval here.
For ref, this issue is similar to CVE-2022-2054.
Code injection could happen via environment variable. In code here, it directly eval the value from environment variable. A malicous local actor could set something like
export WARM_CONTAINER='os.system("touch rickroll")'
to execute arbitrary commands. It would be better to useast.literal_eval
here. For ref, this issue is similar to CVE-2022-2054.