[experimental python] Local file inclusion

stackvana / hook.io

Open-Source Microservice Hosting Platform

https://hook.io

Other

1.26k stars 117 forks source link

[experimental python] Local file inclusion #184

Closed sephialife closed 8 years ago

sephialife commented 8 years ago

Hey guys, i just took an look and it seems that its possible to read local files using python. I know its an experimental feature, here is the code i tested:

import pprint
print "Hello, this is a Python script."
print "Hook['params'] is populated with request parameters"
pprint.pprint(open('/etc/resolv.conf','r').read())

Marak commented 8 years ago

I believe that /etc/resolve.conf is a file that has been specifically placed inside your chroot jail.

Are you able to enumerate or access any files which may cause any security issues? The shared application space should be read-only and contain no sensitive information.

Marak commented 8 years ago

Since we don't disallow reading the local files from the chroot jail, I'm going to close this issue for now.

If anyone finds any sensitive system data that can be accessed from within a hook service, please let me know.

pyhedgehog commented 7 years ago

@sephialife, please join discussion important for python support.