You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability description
When we use QaEngineer role, arbitrary code execution could happen because QaEngineer adopt a dangerous action RunCode to test codes generated by Engineer. RunCode.run_script() method invokes subprocess.Popen without any check. Evil guys can manipulate prompts to execute some sensitive operations.
Proof of concept
My PoC code was designed with slight modifications in your tutorial example
importosos.environ["OPENAI_API_KEY"] ="sk-..."importasynciofrommetagpt.rolesimport (
ProductManager,
Architect,
ProjectManager,
Engineer,
QaEngineer
)
frommetagpt.teamimportTeamasyncdefstartup(idea: str):
company=Team()
company.hire(
[
ProductManager(),
Architect(),
ProjectManager(),
Engineer(),
QaEngineer()
]
)
company.invest(investment=1.0)
company.run_project(idea=idea)
awaitcompany.run(n_round=16)
asyncdefapp(user_prompt):
awaitstartup(idea=user_prompt)
if__name__=="__main__":
user_input="I want to execute shell command `ls -l`. Please help me write a piece of code and test this code."asyncio.run(app(user_input))
And in the path MetaGPT/workspace/.../test_outputs/, we can notice the output of ls -l in a json file. It means that ls -l executes successfully.
Note that in this PoC I only execute ls -l, but in real sceanario, attacker could execute dangerous operations such as file deletions, backdoor opening.
Vulnerability solved suggestion
Using docker to execute python is a good choice. Restricting some sensitive codes via whitelist or blacklist could also be considered.
The text was updated successfully, but these errors were encountered:
Good advice. We will take this into consideration. Maybe you can also contribute a PR? 😁
Thank you, but I am usually quite busy with work. However, I can offer some suggestions here.
Using docker. Docker offers an isolated environment. Even if attackers gain remote command execution permissions, they are unable to inflict actual harm on the real system. There are two good practices AutoGPTAutoGen you can refer to.
Imposing limitations on the commands that can be executed in Python/Shell. We can also build a whitelist of commands. Only necessary commands can be executed. There are also two good practices LlamaIndexPandas-ai you can refer to.
I hope these suggestions will contribute to the improvement of your project's security.
Vulnerability description
When we use QaEngineer role, arbitrary code execution could happen because QaEngineer adopt a dangerous action
RunCode
to test codes generated by Engineer.RunCode.run_script()
method invokessubprocess.Popen
without any check. Evil guys can manipulate prompts to execute some sensitive operations.Proof of concept
My PoC code was designed with slight modifications in your tutorial example
And in the path
MetaGPT/workspace/.../test_outputs/
, we can notice the output ofls -l
in a json file. It means thatls -l
executes successfully.Note that in this PoC I only execute
ls -l
, but in real sceanario, attacker could execute dangerous operations such as file deletions, backdoor opening.Vulnerability solved suggestion
Using docker to execute python is a good choice. Restricting some sensitive codes via whitelist or blacklist could also be considered.
The text was updated successfully, but these errors were encountered: