Dangerous implement of parsers (fairseq.data.codedataset.parse_manifest
) can cause RCE while parsing a well-constructed evil file.
#4869
Labels
馃悰 Bug
Dangerous function
eval
is used infairseq.data.codedataset.parse_manifest
.parse_manifest
is often used to parse the manifest file while doing loading (see official example https://github.com/facebookresearch/fairseq/blob/b5a039c292facba9c73f59ff34621ec131d82341/examples/textless_nlp/pgslm/prepare_dataset.py). But there is no security check about the incoming file and just applyeval
to reading lines. So if an attacker constructs a evil file and feeds it to the server or give it to a people but he doesn't check the file, just load it, and then it will lead to RCE.But if we check the if-else code:
We can see that the check only works for
str
type, so there is actually no need to useeval
.To Reproduce
Here I give a simplest example.
First construct a evil file:
Second we just parse it.
Environment
Additional context
Actually it can be easily fixed just do not use
eval
. If we only need the code work onstr
type, just usestr()
. Or useliteral_eval()
The text was updated successfully, but these errors were encountered: