danielnorberg
commented
3 years ago Unfortunately chartify users have configuration yaml files containing serialized python objects which afaik require the use of the unsafe yaml loader.
We would need to modify the configuration loading code to accept plain data and migrate users before we can switch to the safe yaml loader.
Note that there are tests in place to verify the current behavior:
https://github.com/spotify/chartify/blob/master/tests/test_colors_config.py#L20 https://github.com/spotify/chartify/blob/master/tests/test_options_config.py#L20
https://huntr.dev/users/Anon-Artist has fixed the Insecure Deserialization vulnerability šØ. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/chartify/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/chartify/1/README.md
User Comments:
š Metadata *
Arbitrary code exec vulnerability
Bounty URL: https://www.huntr.dev/bounties/1-pip-chartify
āļø Description *
Chartify is a Python library that makes it easy for data scientists to create charts. This package was vulnerable to Arbitrary code execution via Insecure YAML deserialization due to the use of a known vulnerable function load() in yaml.
š» Technical Description *
This package was vulnerable to Arbitrary code execution due to the use of a known vulnerable function load() in YAML. Changing that to safe_load or using SafeLoader will fix the issue.
š Proof of Concept (PoC) *
Install the package and run the below code:
š„ Proof of Fix (PoF) *
After applying the fix, run the PoC again,
calcwont pop and no code will be executed. Hence code exec is mitigated.š User Acceptance Testing (UAT)
Only
SafeLoaderis used, which is the safer function, no breaking changes introduced.