Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code execution when loading the configuration #149

Open
RootLUG opened this issue Jun 5, 2019 · 1 comment
Open

Code execution when loading the configuration #149

RootLUG opened this issue Jun 5, 2019 · 1 comment

Comments

@RootLUG
Copy link

RootLUG commented Jun 5, 2019

Hello,
When conducting a security audit of the source code that includes nanohttp I noticed that there is an exec done when loading the settings e.g. https://github.com/Carrene/nanohttp/blob/master/nanohttp/cli/entry.py#L73 :
exec(f'settings.{key} = {value}')

Is this behavior necessary? From a security point of view, this is very dangerous behavior, especially if the origin of the key or value can't be trusted. I would strongly suggest replacing this with a call to the built-in setattr function which you can use instead and achieves the same thing in a safe way.
@pylover
Copy link
Owner

pylover commented Jun 18, 2019

I agree with you. but the main function will be used by developers and or system administrators and only they can attack themselves. so, I think the settings a configuration key via the command line is a useful feature.

I'll try to rewrite this portion of code without the exec built-in function.

Thanks a lot in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pylover @RootLUG