-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vulnerability Bug] Used blacklisted dangerous function call that can lead to RCE #355
Comments
Hi @Aju100 , thanks for creating an Issue. This file is used to fetch contributor's information from GitHub for the documentation website and is not directly part of FURY's actual code base, so regular users shouldn't be affected by it. Also, I don't understand the patches that you have suggested can you please explain it a bit more? It looks like you have called the same method twice. A proof of concept on how this could be exploited would help us understand the situation. Thanks. |
Thanks for letting us know. +1, I don't see or understand your fixes/patches in your comment. it seems there is no change. Please, feel free to create a PR, the change will be more explicit. Thank you |
Hi, @skoudoro @Nibba2018 sorry for my delayed response due to a few personal work. The functions that code is written are deprecitated and vulnerable to Remote Execution code. For having URL in order to use it, we have hard coded it. |
Fixes #357 |
I read up on this, and there's a couple of ways to fix this:
I think @Aju100 was trying to implement the first way. (although I doubt there was any need for using global vars, and personally I don't like to do it that way) What we do we need to do?We just need to add a check to fetch url, return an error if someone tries to communicate over any other protocol other than http: or https: any valid url is bound to contain these... After change, our little fetch_url(url) will look something like: def fetch_url(url):
req = Request(url)
if GH_TOKEN:
req.add_header('Authorization', 'token {0}'.format(GH_TOKEN))
try:
print("fetching %s" % url, file=sys.stderr)
# url = Request(url,
# headers={'Accept': 'application/vnd.github.v3+json',
# 'User-agent': 'Defined'})
if url.lower().startswith('http'):
f = urlopen(req)
except Exception as e:
print(e)
print("return Empty data", file=sys.stderr)
return {}
return f Will this be correct? Will it fix the issue? I hope it will fix the issue. @Aju100 Could I get a couple of valid & invalid req to test this against? I need to confirm it works before I commit. I will fix this in the next PR, pinky promise !!! |
Hey @amitchaudhari9121 , yes it will fix the issue. Make PR and let the maintainer review the code. |
* Fix test_utils.py warning * This should fix (#355): * test_actors.py: Fix 1 unecessary warning * Basic Convert.py testing * pep8 fix * CI: fix matplot lib is an Optional Module * forgot import in test_convert.py -_- Effects of sleep deprivation * CI fix: proper imports * Made the suggested Changes in review. * Revised changes: * Revised Changes
Fixed by #399 , closing |
Hi Opensource enthusiast,
After looking through the whole codebase, I get to identify a few vulnerabilities on the fury repository.
Impact
Vulnerable code
github_tools.py
Patches
github_tools.py
Vulnerable code
fetcher.py
Patches
fetcher.py
For more info. You can also go through bandit where it has listed dangerous calling functions. For the URL we have to insert in Request('here')
References: Stackoverflow
The text was updated successfully, but these errors were encountered: