Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix SSTI vulnerability in ad and consent pages #517

Merged
merged 2 commits into from Jun 16, 2021

Conversation

BlaiseRideout
Copy link
Contributor

Fixed an issue where users could pass arbitrary Python code to be executed on the server to the mode HTTP arg

More information about this type of vulnerability: https://secure-cookie.io/attacks/ssti/

Fixed an issue where users could pass arbitrary Python code to be executed on the server to the mode HTTP arg

More information about this type of vulnerability: https://secure-cookie.io/attacks/ssti/
@BlaiseRideout
Copy link
Contributor Author

Here's an example of reading a server-side file from /etc using the default psiturk-setup-example project:
SSTI vulnerability example

@coveralls
Copy link

Coverage Status

Coverage remained the same at 60.086% when pulling 3454df2 on BlaiseRitchie:patch-1 into e8c0828 on NYUCCL:master.

@deargle
Copy link
Collaborator

deargle commented Jun 16, 2021

🎉 🎉 🎉 awesome, how did you find this?

@BlaiseRideout
Copy link
Contributor Author

🎉 🎉 🎉 awesome, how did you find this?

A whitehat security researcher reported it to us

@deargle
Copy link
Collaborator

deargle commented Jun 16, 2021

I'm considering just stripping out all of the insert_mode calls etc. I think that was for maintaining compatibility between psiturk 1 and 2 -- I don't think any psiturk 1 template would work anymore anyway.

@deargle deargle merged commit 952718a into NYUCCL:master Jun 16, 2021
3 checks passed
@deargle
Copy link
Collaborator

deargle commented Jun 16, 2021

But I'll merge this for now.

deargle pushed a commit that referenced this pull request Oct 1, 2021
* Fix SSTI vulnerability in ad and consent pages

Fixed an issue where users could pass arbitrary Python code to be executed on the server to the mode HTTP arg

More information about this type of vulnerability: https://secure-cookie.io/attacks/ssti/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants