Python: Add Code Injection Sinks for Pandas

Question

Python: Add Code Injection Sinks for Pandas

Closed this issue 10 months ago · 4 comments

R3x commented 10 months ago

Query PR

github/codeql#15314

Language

Python

CVE(s) ID list

CVE-2023-46134

CWE

CWE-094

Report

1/2. Pandas has a function to query the columns of a Pandas DataFrame with a boolean expression.
However, this function allows to refer to variables in the environment by prefixing them with an ‘@’ character like @A + b. This can be exploited to call Python functions if untrusted user input is passed.
Example: https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes#other-libraries-that-allow-to-eval-python-code
3. Sources would be any remote untrusted input, for example - parameters from a flask request.
4. We didn't add any additional sanitizers

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes
No

Blog post link

No response

Answer 1 · 2024-01-22T12:13:08.000Z

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 2 · 2024-01-23T14:11:40.000Z

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 3 · 2024-01-23T17:27:31.000Z

Hello @R3x

Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined this query is not eligible for a reward under the Bug Bounty program for the following reasons:

It doesn't meet the minimum complexity requirements:

To be eligible for a bounty, queries must be non-trivial, and meet a minimum complexity requirement. More concretely, queries that simply look for one or two AST elements, or that could be easily implemented with a linter or simple grep, may not be considered interesting enough for a bounty (A good way to ensure that your queries meet this requirement is to ensure it uses some more advanced analysis, like data-flow or control-flow).

If you see a way of supporting additional Python libraries with code injection sinks you might try to bundle them with this addition and create a new submission which might be eligible for a reward.

Best regards and happy hacking!

Answer 4 · 2024-01-23T17:28:19.000Z

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed