Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Fixed Arbitrary code execution in tensorlayer #1

Merged
merged 2 commits into from
Feb 19, 2021
Merged

Fixed Arbitrary code execution in tensorlayer #1

merged 2 commits into from
Feb 19, 2021

Conversation

d3m0n-r00t
Copy link

@d3m0n-r00t d3m0n-r00t commented Jan 27, 2021
edited
Loading

📊 Metadata *

Fixed Arbitrary code execution in tensorlayer

Bounty URL: https://www.huntr.dev/bounties/1-pip-tensorlayer

⚙️ Description *

TensorLayer is a novel TensorFlow-based deep learning and reinforcement learning library designed for researchers and engineers. It provides an extensive collection of customizable neural layers to build advanced AI models quickly. This package is vulnerable to Arbitrary Code Execution.

💻 Technical Description *

Use of eval() in eval_layer() function without escaping causes execution of system commands.

🐛 Proof of Concept (PoC) *

pip install tensorflow
pip install tensorlayer

from tensorlayer.files.utils import eval_layer

eval_layer({'class': 'utils.np.os.execvp', 'args': {'layer_type': 'normal', 'file': 'calc.exe', 'args': ['0']}})

OR

from tensorlayer.files.utils import eval_layer
eval_layer({'class': 'utils.np.os.system', 'args': {'layer_type': 'normal', 'command': 'calc.exe'}})

Screenshot 2021-01-27 125710

🔥 Proof of Fix (PoF) *

Screenshot 2021-01-27 124206

Screenshot 2021-01-27 125815
https://docs.python.org/3/library/ast.html#ast-helpers

👍 User Acceptance Testing (UAT)

As explained above ast.literal_eval() can only be used in common strings and not complex expressions. So not sure on how this will affect the package. However it is safer for evaluvating simple expressions.

@huntr-helper
Copy link

👋 Hello, @zsdonghao - @d3m0n-r00t has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@zsdonghao & @d3m0n-r00t - thank you for your efforts in securing the world’s open source code! 🎉

huntr-helper pushed a commit to 418sec/huntr that referenced this pull request Jan 27, 2021
Added fix submission to FixSubmissionCount for 418sec/tensorlayer#1
ddb95e4
@d3m0n-r00t
Copy link
Author

@zsdonghao.
Any comments on this?

@d3m0n-r00t d3m0n-r00t mentioned this pull request Jan 31, 2021
Open
2 tasks
@d3m0n-r00t
Copy link
Author

@Laicheng0830
Please find the fix for the issue (tensorlayer#1116) here. If found ok just comment @huntr-helper - LGTM.
Thanks

@JamieSlome
Copy link

@huntr-helper - LGTM

@huntr-helper huntr-helper merged commit 9129db3 into 418sec:master Feb 19, 2021
@huntr-helper huntr-helper mentioned this pull request Feb 19, 2021
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Laicheng0830 Laicheng0830 Laicheng0830 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@d3m0n-r00t @huntr-helper @JamieSlome @Laicheng0830