codeql
codeql copied to clipboard
github
Python : Arbitrary code execution due to Js2Py
Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python. The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly.
This PR includes a CodeQL query along with a qhelp and testcases to detect cases where an untrusted input flows to an Js2Py eval call.
This query successfully detects CVE-2023-0297 in pyload/pyloadalong with it's fix. The databases can be downloaded from the links bellow.
https://file.io/qrMEjSJJoTq1
https://filetransfer.io/data-package/a02eab7V#link
Hello porcupineyhairs 👋
You have submitted this pull request as a bug bounty report in the github/securitylab repository and therefore this pull request has been put into draft state to give time for the GitHub Security Lab to assess the PR. When GitHub Security Lab has finished assessing your pull request, it will be marked automatically as Ready for review. Until then, please don't change the draft state.
In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.
- the submission models widely-used frameworks/libraries
- the vulnerability modeled in the submission is impactful
- the submission finds new true positive vulnerabilities
- the submission finds very few false positives
- code in the submission is easy to read and will be easy to maintain
- documentation is written clearly, highlighting the impact of the issue it finds and is written without grammatical or other errors. The code samples clearly show the vulnerability
- the submission includes tests, change note etc.
Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission.
Happy hacking!
QHelp previews:
python/ql/src/experimental/Security/CWE-094/Js2Py.qhelp
JavaScript code execution.
Passing untrusted inputs to a JavaScript interpreter like `Js2Py` can lead to arbitrary code execution.
Recommendation
This vulnerability can be prevented either by preventing an untrusted user input to flow to an eval_js call. Or, the impact of this vulnerability can be significantly reduced by disabling imports from the interepreted code (note that in a comment the author of the library highlights that Js2Py is still insecure with this option).
Example
In the example below, the Javascript code being evaluated is controlled by the user and hence leads to arbitrary code execution.
@bp.route("/bad")
def bad():
jk = flask.request.form["jk"]
jk = eval_js(f"{jk} f()")
This can be fixed by disabling imports before evaluating the user passed buffer.
@bp.route("/good")
def good():
# disable python imports to prevent execution of malicious code
js2py.disable_pyimport()
jk = flask.request.form["jk"]
jk = eval_js(f"{jk} f()")
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I would strongly advise to just push additional commits to your branch/PR next time. By doing so, it becomes very easy for me to see the changes you made after reading my review. With the force push, I have to remember what the code looked like before and try to figure out what has changed :thinking:
@RasmusWL Sorry about that. I made a couple of mistakes while merging so I had to force push again.