Open psmoros opened 1 month ago
toolslive
commented
3 weeks ago Hi, think I found an issue (might be the same as the potential issue above, or a different one). So can we move forward with this?
The alternative is just adding an issue with a tag security but I would like to give you a head start.
bashtage
commented
3 weeks ago Is it the use of pickle?
toolslive
commented
3 weeks ago No.
josef-pkt
commented
1 week ago then maintainers would get notifications and it's private.
codeql does not show any security warnings, except jinja doc build which is build and not user code. https://github.com/statsmodels/statsmodels/security/code-scanning
toolslive
commented
1 week ago the "privately-reporting-a-security-vulnerability" flow doesn't seem to work. Alternatively I could just post a proof of concept exploit here. The maintainers had ample opportunity to react.
bashtage
commented
1 week ago Just go ahead and post it.
josef-pkt
commented
1 week ago or send a private email to me and bashtage
josef-pkt
commented
1 week ago the "privately-reporting-a-security-vulnerability" flow doesn't seem to work.
we have not enabled it yet. My question was whether we need or should enable it.
In general, statsmodels is intended for interactive use or automated use. E.g. formula handling by patsy and formulaic use eval. It's the responsibility of the caller not to do anything unsafe.
In statsmodels itself, I think we are not doing anything that can cause security concerns.
Hello 👋
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@tvnnn) has found a potential issue, which I would be eager to share with you.
Could you add a
SECURITY.mdfile with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.Looking forward to hearing from you 👍
(cc @huntr-helper)