server-side-extension icon indicating copy to clipboard operation
server-side-extension copied to clipboard

Published 20 hours ago verified publisher icon qlik-oss

Python OS Command Execution via Examples

Open wdahlenburg opened this issue 1 year ago • 0 comments

Description

All of the Python SSE servers currently support arbitrary command injection. Some of the other examples do a better job restricting functions to expected code input.

Mutual TLS should be in front of these servers, but in case it's not configured anyone can execute arbitrary OS commands fairly easily against the examples.

The eval and exec functions are unsafe for user input. It'd be good to update the examples with a more secure server for users to use as a template.

Steps to Reproduce

  1. Set up a Qlik analytic connection and run any of the example Python servers, such as helloworld
  2. Configure the extension editor in Qlik to run SSEPython.ScriptEvalStr('__import__("os").popen("ls -la").read()', HelloWorldData). Modify the output field if not using the SSE_Hello_World.qvf to another string field.
  3. Apply the expression and observe that the server executes ls -la on the host.

For columnoperations: SSEPython.ScriptEval('__import__("os").popen("ls -la").read()', [], HelloWorldData)

For fullscriptsupport_pandas (which used exec instead of eval): SSEPython.ScriptEval('__import__("os").popen("touch /tmp/x").read()')

The fullscriptsupport example can use the same payload as the helloworld example.

Expected behavior

The example servers should be secure against remote code execution vulnerabilities.

Actual behavior

Unexpected users can execute OS commands on servers hosting the Python examples.

Environment

Operating system
[ ] Windows
[X] Linux
Qlik Sense
[ ] Desktop
[X] Server

Versions

  • server-side-extension: Latest
  • Qlik Sense:
  • Operating system:
  • [Other relevant versions]

wdahlenburg avatar Jan 26 '24 23:01 wdahlenburg