mirror of
https://github.com/github/codeql.git
synced 2026-04-26 01:05:15 +02:00
Python : Arbitrary codde execution due to Js2Py
Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python. The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly. This PR includes a CodeQL query along with a qhelp and testcases to detect cases where an untrusted input flows to an Js2Py eval call. This query successfully detects CVE-2023-0297 in `pyload/pyload`along with it's fix. The databases can be downloaded from the links bellow. ``` https://file.io/qrMEjSJJoTq1 https://filetransfer.io/data-package/a02eab7V#link ```
This commit is contained in:
@@ -0,0 +1,10 @@
|
||||
edges
|
||||
| Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | provenance | |
|
||||
| Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | provenance | AdditionalTaintStep |
|
||||
nodes
|
||||
| Js2PyTest.py:9:5:9:6 | ControlFlowNode for jk | semmle.label | ControlFlowNode for jk |
|
||||
| Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring |
|
||||
subpaths
|
||||
#select
|
||||
| Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | Js2PyTest.py:9:10:9:22 | ControlFlowNode for Attribute | Js2PyTest.py:10:18:10:28 | ControlFlowNode for Fstring | This can lead to arbitrary code execution |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE-094/Js2Py.ql
|
||||
@@ -0,0 +1,10 @@
|
||||
|
||||
import flask
|
||||
from js2py import eval_js, disable_pyimport
|
||||
|
||||
bp = flask.Blueprint("app", __name__, url_prefix="/")
|
||||
|
||||
@bp.route("/bad")
|
||||
def bad():
|
||||
jk = flask.request.form["jk"]
|
||||
jk = eval_js(f"{jk} f()")
|
||||
Reference in New Issue
Block a user