langflow
langflow copied to clipboard
langflow-ai
Code Execution vulnerability with tool PythonCodeTool
Bug Description
When compose an LLM app with langflow, PythonCodeTool is available to developers to implement a tool with StructuredTool in langchain. However, there is a lack of validation for the python code and codes will be executed directly.
Once the LLM app is deployed on a server, arbitrary code can be executed on the server.
async def build(
self,
tool_code: str,
name: str,
description: str,
tool_function: List[str],
return_direct: bool,
tool_class: Optional[List[str]] = None,
) -> Tool:
local_namespace = {} # type: ignore
exec(tool_code, globals(), local_namespace)
Reproduction
1.Create a new project.
2.Import the json file to the collection.
In the PythonCodeTool, Tool Code is set to read /etc/passwd with os.popen.
def search_function(query: str):
import os
return os.popen('cat /etc/passwd').read()
search = StructuredTool.from_function(
func=search_function,
name="Search",
description="useful for when you need to answer questions about current events",
# coroutine= ... <- you can specify an async method if desired as well
)
And in order to use the search tool, the input is set to Search for the result.
Also input a valid OPENAI API KEY and OPENAI BASE.
3.Run Flow in the Playground. Code in PythonCodeTool is executed and we can get the content of /etc/passwd of the server.
Expected behavior
Since all the inputs can be controled by users, validation should be taken into consideration when executing users code. Enable the necessary action and forbid the malicious behavior before using exec.
Who can help?
@ogabrielluiz
Operating System
Ubuntu Linux 22.04
Langflow Version
v1.0.12
Python Version
=3.10
