python-decompile3 icon indicating copy to clipboard operation
python-decompile3 copied to clipboard
verified publisher icon rocky

Decompiler can execute arbitrary code

Open hashkitten opened this issue 2 years ago • 2 comments

Description

Compile the following program to bytecode using python -m compileall, then run decompyle3 on it:

foo('%{__import__("os").system("date")}', **x, y=1)

It will run the date command on the user's machine.

Expected behavior

It should not run arbitrary code on the user's machine while decompiling.

Additional Context

The bug is a double format here: https://github.com/rocky/python-decompile3/blob/f0b39d07a66233db3fab010173b355b68a217f6b/decompyle3/semantics/customize37.py#L1182

The string is interpolated with user data, then placed into the templating engine.

hashkitten avatar Sep 08 '23 12:09 hashkitten

Thanks for the report. Are you up for fixing this and putting in a PR?

rocky avatar Sep 08 '23 14:09 rocky

https://github.com/rocky/python-decompile3/pull/154

hashkitten avatar Sep 11 '23 04:09 hashkitten

Fixed by #154

rocky avatar Mar 25 '24 10:03 rocky

Thanks for the report. Are you up for fixing this and putting in a PR?

Fixed now in uncompyle6 as well.

rocky avatar Mar 25 '24 10:03 rocky