cmssw icon indicating copy to clipboard operation
cmssw copied to clipboard

Published 20 hours ago verified publisher icon cms-sw

Potential Issue regarding Code Injection

Open nevercodecorrect opened this issue 9 months ago • 4 comments

In code here, it directly eval the value from environment variable. A malicous local actor could set something like export ALIGNMENT_PHOTOGRAMMETRY='os.system("touch rickroll")' to execute arbitrary commands. It would be better to use ast.literal_eval here. This issue is similar to CVE-2022-2054.

nevercodecorrect avatar May 10 '24 17:05 nevercodecorrect