Security mechanism can be defeated by using function name as column name

Question

Security mechanism can be defeated by using function name as column name

Closed this issue 5 years ago · 1 comments

The mechanism that stops queryparser from translating an expression if it includes functions that are not on the whitelist can be defeated by including a column name in the expression that has the same name as the disallowed function. For example:

parse_expression("system + system('ls')")
#system + system("ls")

This is caused by the way the all_funs function is implemented.

Answer 1 · 2019-08-31T18:39:51.000Z

Fixed in 173cf64