Best IT Recipes

Python brine attack

I am writing a web application that stores user input in an object. This object will be pickled.

Is it possible that the user can create malicious input that can do something rude when the object is not full?

Here is a really simple code example that ignores wonderful principles like encapsulation, but embodies what I'm looking for:

import pickle class X(object): some_attribute = None x = X() x.some_attribute = 'insert some user input that could possibly be bad' p = pickle.dumps(x) # Can bad things happen here if the object, before being picked, contained # potentially bad data in some_attribute? x = pickle.loads(p)
+27
python security pickle
Apr 23 2018-12-12T00:
source share
3 answers

Yes and no...

No - if there is no error with the interpreter or the brine module, you cannot run arbitrary code using pickled text or something like that. if the marinated text is eval ed later, or you do things such as creating a new object with the type mentioned in this data.

Yes - depending on what you plan to do with the information in the object later, the user can do all kinds of things. From attempts to implement SQL, change credentials, crack hacked passwords, or anything that should be considered when checking user input. But you are probably checking all of this.

Edit:

The python documentation states the following: Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source. Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

However, this is not your case - you accept the entry, expose it through a regular check, and then shove it.

+13
Apr 23 2018-12-12T00:
source share

Good according to the documentation

 Warning The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

This would mean that you could attack this functionality by simply invoking it if the data structure existed in such a state that the brine algorithm entered a state where the behavior of the program was not guaranteed.

According to this site

  import pickle pickle.loads("cos\nsystem\n(S'ls ~'\ntR.") # This will run: ls ~

All that is required to execute arbitrary code. There are other examples, as well as an โ€œimprovementโ€ for pickling for safety reasons.

+7
Apr 23 2018-12-12T00:
source share

I found this in the documentation of the multiprocessing module , which I think answers the question:

Warning

The Connection.recv () method automatically decompresses the data it receives, which can be a security risk if you cannot trust who sent the message.

Therefore, if the connection object was not created using Pipe () , you should use the recv () and send () methods after performing some kind of authentication. See the Identity Keys Section.

(my accent)

The conclusion is that if the connection object is created using a trusted pipe, that is, a reliable brine, then it can be safely scattered.

0
Jan 26 '17 at 1:29 on
source share


More articles:


All Articles