Python : Arbitrary code execution due to Js2Py

Query PR

github/codeql#16771

Language

Python

CVE(s) ID list

CVE-2023-0297
GHSA-pf38-5p22-x6h6

CWE

CWE-094

Report

Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python. The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly.

The library provides two main ffunctions, eval_js annd eval_js6 to execute JS code. Any flow to these functions can lead to RCE.
The potential impact of this query can be significantly be if python imports arre disabled using the disable_pyimports call.
The proposed query detects the vulnerable pattern of a remote buffer flowing into any of the target functions. The query also supresses the results if imports are disabled to prevent false positives.

This vulnerability was found in pyload/pyload and was reported under CVE-2023-0297. The databases forr the same are available to download from the following links

https://file.io/qrMEjSJJoTq1
https://filetransfer.io/data-package/a02eab7V#link

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[sylwia-budzynska]

👋 I have run MRVA with this query against our lists, but I got no new results, which is one of the requirements for bug bounty submissions. Do you think you could add any new sources or sinks to the submission? This would improve the scope score for this submission.

[ghsecuritylab]

Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@sylwia-budzynska Is this a recent change? I thought any query which could detect any valid CVE in a real world codebase was eligible for bounty.

To be considered, your query must find at least one CVE that was not previously found by an existing query, in a released version (older releases are also permitted) of an open source project that is actually used (no demo, training, vulnerable on purpose). Submissions without at least one result won't be considered.

I can confirm this query finds a valid CVE. I have also attached the database for the concerned project above.

[sylwia-budzynska]

@porcupineyhairs My bad, I meant this line:

Queries must meet at least the requirements for experimental queries, including at least one useful result on some revision of a real project.

The submission must find at least one CVE (your query already does) and find one result on a real project. This has been a requirement all the time I've started this role at GitHub, so at least two years. If there are any other code injection or other sinks you can add, it will help the scores for your submission - let me know what you decide.

@sylwia-budzynska Are you sure, I believe the only requirement was a valid result on a real world project. This could be the same as the CVE. Can you please confirm with the team again?

In the meantime, I would look into expanding the scope a bit.

[sylwia-budzynska]

@porcupineyhairs The general consensus is that a submission should find a new result, outside of the CVE. That said, since the sinks you've provided do look good to have in CodeQL, we decided to go forward with the submission. Though please consider adding more models to the submission, to improve the detection rates, and to give you a higher payout. We expect to finish all bug bounty activity within the next few weeks, so if you can, please add them sooner rather than later.

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Created Hackerone report 2597553 for bounty 595896 : [832] Python : Arbitrary code execution due to Js2Py

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed