Closed williamstlr closed 4 years ago
I am sure what am I looking at - the vulnerability caused by running TabPy?
FWIW this is documented already in security considerations:
https://github.com/tableau/TabPy/blob/master/docs/security.md
Not sure what the priority is to address that; executing arbitrary code is by nature insecure, but perhaps could blacklist particular modules like os
to mitigate
Should also probably limit permissions of whichever user is running the server to prevent access to other directories
Alright, sounds like the 3rd point on security.md is the one you're talking about, right? Guess I misunderstood the scope of that when I read it. That's a bit bigger deal to me than I'd realized, especially since my TabPy endpoint is public-facing. Am I correct in understanding that mitigating this is not a priority? If it's not I'll approach this from a different angle.
I'm going to move this on my network and call this good.
I should clarify that it’s not “not a priority” but something you should be aware of in the interim. @nmannheimer
Not sure if this is the correct place for this, so if it's the wrong place please direct me to where or how I should do this differently.
Environment Ubuntu:18.04.3 Python 3.6.8 TabPy 0.8.9
I run security scans against my environment with tenable.io (pretty much just Nessus if I understand it correctly) and the scans on my infrastructure are reporting a directory traversal vulnerability. Screenshot of the scan output below.
Multiple scans have come back with this result.