Arbitrary code execution in JiraAPIWrapper #4833
Labels
Comments
|
I think the options here are to either a) check code to a limited number of allowed actions, or b) remove the "other" method from the tool. It looks like we want the jira tool to:
I'm not sure what other functionality we want to extend to with self.other, maybe y'all know how to proceed best |
14 tasks
|
This is another critical bug that is deployment breaking for many: https://nvd.nist.gov/vuln/detail/CVE-2023-34540 |
hwchase17
pushed a commit
that referenced
this issue
Jul 5, 2023
…API wrapper (#6992) This fixes #4833 and the critical vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-34540 Previously, the JIRA API Wrapper had a mode that simply pipelined user input into an `exec()` function. [The intended use of the 'other' mode is to cover any of Atlassian's API that don't have an existing interface](https://github.com/hwchase17/langchain/blob/cc33bde74ff2e050a400e4451e04ff5b32c4a7bd/langchain/tools/jira/prompt.py#L24) Fortunately all of the [Atlassian JIRA API methods are subfunctions of their `Jira` class](https://atlassian-python-api.readthedocs.io/jira.html), so this implementation calls these subfunctions directly. As well as passing a string representation of the function to call, the implementation flexibly allows for optionally passing args and/or keyword-args. These are given as part of the dictionary input. Example: ``` { "function": "update_issue_field", #function to execute "args": [ #list of ordered args similar to other examples in this JiraAPIWrapper "key", {"summary": "New summary"} ], "kwargs": {} #dict of key value keyword-args pairs } ``` the above is equivalent to `self.jira.update_issue_field("key", {"summary": "New summary"})` Alternate query schema designs are welcome to make querying easier without passing and evaluating arbitrary python code. I considered parsing (without evaluating) input python code and extracting the function, args, and kwargs from there and then pipelining them into the callable function via `*f(args, **kwargs)` - but this seemed more direct. @vowelparrot @dev2049 --------- Co-authored-by: Jamal Rahman <jamal.rahman@builder.ai>
|
Hi. I still getting this error in scan: https://nvd.nist.gov/vuln/detail/CVE-2023-34540 |
|
@aiakubovich for Jira, this should be fixed in most recent version, so updating langchain version should remove the error |
aerrober
pushed a commit
to aerrober/langchain-fork
that referenced
this issue
Jul 24, 2023
…API wrapper (langchain-ai#6992) This fixes langchain-ai#4833 and the critical vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-34540 Previously, the JIRA API Wrapper had a mode that simply pipelined user input into an `exec()` function. [The intended use of the 'other' mode is to cover any of Atlassian's API that don't have an existing interface](https://github.com/hwchase17/langchain/blob/cc33bde74ff2e050a400e4451e04ff5b32c4a7bd/langchain/tools/jira/prompt.py#L24) Fortunately all of the [Atlassian JIRA API methods are subfunctions of their `Jira` class](https://atlassian-python-api.readthedocs.io/jira.html), so this implementation calls these subfunctions directly. As well as passing a string representation of the function to call, the implementation flexibly allows for optionally passing args and/or keyword-args. These are given as part of the dictionary input. Example: ``` { "function": "update_issue_field", #function to execute "args": [ #list of ordered args similar to other examples in this JiraAPIWrapper "key", {"summary": "New summary"} ], "kwargs": {} #dict of key value keyword-args pairs } ``` the above is equivalent to `self.jira.update_issue_field("key", {"summary": "New summary"})` Alternate query schema designs are welcome to make querying easier without passing and evaluating arbitrary python code. I considered parsing (without evaluating) input python code and extracting the function, args, and kwargs from there and then pipelining them into the callable function via `*f(args, **kwargs)` - but this seemed more direct. @vowelparrot @dev2049 --------- Co-authored-by: Jamal Rahman <jamal.rahman@builder.ai>
obi1kenobi
added a commit
to obi1kenobi/advisory-database
that referenced
this issue
Aug 28, 2023
That advisory corresponds to: - this issue, which is closed as completed: langchain-ai/langchain#4833 - this PR, which is merged: langchain-ai/langchain#6992 - this fix release, which references the above PR in the release notes: https://github.com/langchain-ai/langchain/releases/tag/v0.0.225
|
Confirming this is fixed in #6992 and published in v0.0.225. Versions v0.0.225 and newer should not be affected. You can confirm this by noting:
@aiakubovich I'm opening a PR to the advisory database to update that CVE as fixed in v0.0.225, which should stop it from being reported on your end once your scanner tool sees the updated database entry. If you're still seeing this problem ~next week, please give us a ping and we can dig in deeper together. Thanks for your patience on this! We're working to make this process smoother in the future. |
sethmlarson
pushed a commit
to pypa/advisory-database
that referenced
this issue
Aug 28, 2023
That advisory corresponds to: - this issue, which is closed as completed: langchain-ai/langchain#4833 - this PR, which is merged: langchain-ai/langchain#6992 - this fix release, which references the above PR in the release notes: https://github.com/langchain-ai/langchain/releases/tag/v0.0.225
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
System Info
LangChain version:0.0.171
windows 10
Who can help?
No response
Information
Related Components
Reproduction
idcommand will be executed.Commands can be change to others and attackers can execute arbitrary code.
Expected behavior
The code can be executed without any check.
The text was updated successfully, but these errors were encountered: