Security Fix for Arbitrary Code Execution - huntr.dev #1120
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@d3m0n-r00t (https://huntr.dev/users/d3m0n-r00t) has fixed a potential Arbitrary Code Execution vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...
Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/tensorlayer/1/README.md
User Comments:
📊 Metadata *
Fixed Arbitrary code execution in
tensorlayer
Bounty URL: https://www.huntr.dev/bounties/1-pip-tensorlayer
⚙️ Description *
TensorLayer
is a novel TensorFlow-based deep learning and reinforcement learning library designed for researchers and engineers. It provides an extensive collection of customizable neural layers to build advanced AI models quickly. This package is vulnerable toArbitrary Code Execution
.💻 Technical Description *
Use of
eval()
ineval_layer()
function without escaping causes execution of system commands.🐛 Proof of Concept (PoC) *
OR
🔥 Proof of Fix (PoF) *
https://docs.python.org/3/library/ast.html#ast-helpers
👍 User Acceptance Testing (UAT)
As explained above
ast.literal_eval()
can only be used in common strings and not complex expressions. So not sure on how this will affect the package. However it is safer for evaluvating simple expressions.