rio
rio copied to clipboard
CVE-2024-27322 and this package
CVE-2024-27322 is partially fixed in R 4.4.0. But the attack surface is still there. First, this package supports R > 3.6 therefore the partial fix in 4.4.0 is not applied in many supported versions. Second, even with 4.4.0 deserialization of .Rdata
and .RDS
in some cases can still invoke arbitrary code execution. See this message by gws.
We can't be too nanny but should we rethink the "any R object" policy of .Rdata
https://github.com/gesistsa/rio/blob/c529994b479f2014e64d9dc4d4c21f4032c48ca1/R/import.R#L31
.RDS
https://github.com/gesistsa/rio/blob/c529994b479f2014e64d9dc4d4c21f4032c48ca1/R/import.R#L32
and qs
https://github.com/gesistsa/rio/blob/c529994b479f2014e64d9dc4d4c21f4032c48ca1/R/import.R#L33-L35
There are several options:
- Warn about non data frame object
- Completely forbid non data frame object
- Only forbid Promise
- Just warn in the doc
- Don't be nanny