Possible Arbitrary code execution bug.

tensorlayer / TensorLayer

Deep Learning and Reinforcement Learning Library for Scientists and Engineers

http://tensorlayerx.com

Other

7.31k stars 1.61k forks source link

Possible Arbitrary code execution bug. #1116

Open d3m0n-r00t opened 3 years ago

d3m0n-r00t commented 3 years ago

New Issue Checklist

[x] I have read the Contribution Guidelines
[x] I searched for existing GitHub issues

Issue Description

Possibility of arbitrary code execution in tensorlayer.

Issue problem and fix explained here (https://github.com/418sec/tensorlayer/pull/1)

gurshafriri commented 3 years ago

@zsdonghao @Laicheng0830 Did you have any chance to look at it? If it is a valid vulnerability in the context of tensorlayer we (at Snyk would like to add it to our vulnerability db

d3m0n-r00t commented 3 years ago

@zsdonghao Any comments on this?????

Laicheng0830 commented 3 years ago

@d3m0n-r00t This is a potential security hole, you can fix it with Pull requests.

d3m0n-r00t commented 3 years ago

@Laicheng0830 I have created a fix with huntr. Please find the fix here (https://github.com/418sec/tensorlayer/pull/1).

JamieSlome commented 3 years ago

Attaching the original disclosure for reference:

https://github.com/418sec/huntr/pull/1791 and https://www.huntr.dev/bounties/1-pip-tensorlayer/