Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Python]: Add unsafe deserialization sinks #772

Closed
1 of 2 tasks
maikypedia opened this issue Jul 28, 2023 · 5 comments
Closed
1 of 2 tasks

[Python]: Add unsafe deserialization sinks #772

maikypedia opened this issue Jul 28, 2023 · 5 comments
Assignees
@jorgectf
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@maikypedia
Copy link

Query PR

github/codeql#13781

Language

Python

CVE(s) ID list

CWE

CWE-502: Deserialization Of Untrusted Data

Report

This covers pandas, numpy and joblib unsafe deserialization vulnerability, that happens when an attacker is able to inject data into the deserialization method leading to Remote Code Execution. Both numpy and joblib don't deserialize the input itself but the content of the file, like other libraries modeled for insecure deserialization, but it is worth alerting. In the case of pandas the input could be an attacker url containing the data to deserialize and that could lead to Remote Code Execution.

The dataflow configuration I used is the Unsafe Deserialization default, looking for RemoteFlowSource flowing to the deserialization of data by pandas, numpy and joblib. The sinks are pandas.read_pickle, numpy.load and joblib.load.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

  • Yes
  • No

Blog post link

No response
@maikypedia maikypedia added the All For One Submissions to the All for One, One for All bounty label Jul 28, 2023
@pwntester pwntester assigned pwntester and jorgectf and unassigned pwntester Jul 28, 2023
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@xcorail
Copy link
Contributor

xcorail commented Sep 29, 2023

Created Hackerone report 2187446 for bounty 517313 : [772] [Python]: Add unsafe deserialization sinks

@xcorail xcorail closed this as completed Sep 29, 2023
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jorgectf jorgectf

Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pwntester @xcorail @jorgectf @ghsecuritylab @maikypedia