Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit the strings which can be eval'd #165

Merged
merged 1 commit into from Aug 3, 2021

Conversation

mildebrandt
Copy link

When processing the schema, each line is run through Python's eval
function to make the validator available. A well constructed string
within the schema rules can execute system commands. This change limits
the string to those that begin with the known validators.

When processing the schema, each line is run through Python's eval
function to make the validator available. A well constructed string
within the schema rules can execute system commands. This change limits
the string to those that begin with the known validators.
@mildebrandt mildebrandt merged commit 6017300 into master Aug 3, 2021
5 checks passed
@mildebrandt mildebrandt deleted the feature/prevent_harmful_eval branch August 3, 2021 22:19
@mildebrandt mildebrandt restored the feature/prevent_harmful_eval branch August 3, 2021 22:24
@gauravphoenix
Copy link

Thank you for finding and fixing it, are you planning to publish a CVE for this?

@mildebrandt
Copy link
Author

Yes, it's CVE-2021-38305

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants