Potential Code Injection Vulnerability

lithops-cloud / lithops

A multi-cloud framework for big data analytics and embarrassingly parallel jobs, that provides an universal API for building parallel applications in the cloud ☁️🚀

http://lithops.cloud

Apache License 2.0

315 stars 103 forks source link

Potential Code Injection Vulnerability #1343

Closed nevercodecorrect closed 3 months ago

nevercodecorrect commented 4 months ago

Code injection could happen via environment variable. In code here, it directly eval the value from environment variable. A malicous local actor could set something like export WARM_CONTAINER='os.system("touch rickroll")' to execute arbitrary commands. It would be better to use ast.literal_eval here. For ref, this issue is similar to CVE-2022-2054.

JosepSampe commented 3 months ago

Thanks for reporting @nevercodecorrect