Untrusted code execution
Ian Kelly
ian.g.kelly at gmail.com
Tue Apr 5 10:50:16 EDT 2016
On Tue, Apr 5, 2016 at 8:17 AM, Rustom Mody <rustompmody at gmail.com> wrote:
> On Tuesday, April 5, 2016 at 7:19:39 PM UTC+5:30, Jon Ribbens wrote:
>> On 2016-04-03, Jon Ribbens wrote:
>> > I'd just like to say up front that this is more of a thought experiment
>> > than anything else, I don't have any plans to use this idea on any
>> > genuinely untrusted code. Apart from anything else, there's the
>> > denial-of-service issue.
>> >
>> > That said, is there any way that the following Python 3.4 code could
>> > result in a arbitrary code execution security hole?
>> >
>> > tree = compile(untrusted_code, "<script>", "eval", ast.PyCF_ONLY_AST)
>> > for node in ast.walk(tree):
>> > if (isinstance(node, ast.Name) and node.id.startswith("_") or
>> > isinstance(node, ast.Attribute) and node.attr.startswith("_")):
>> > raise ValueError("Access to private values is not allowed.")
>> > namespace = {"__builtins__": {"int": int, "str": str, "len": len}}
>> > print(eval(compile(tree, "<script>", "eval"), namespace))
>>
>> Nobody has any thoughts on this at all?
>
> i actually did...
>
> But dont know enough of the AST API to figure out what you are trying/avoiding etc
Same here, although it looks to me like this approach could work. Or
I'm just not clever enough to see how it could be exploited.
More information about the Python-list
mailing list