New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The potential security vulnerability for the flag pre_dispatch in Parallel() class due to the eval() statement. #1128
Comments
Thanks for the report. We should indeed improve this by making sure that the |
Something like the following should work: # Set builtins to empty dict to make it impossible to import arbitrary modules
# and other unsafe operation.
pre_dispatch = eval(pre_dispatch, {"n_jobs": n_jobs, "__builtins__": {}}) |
We might want to add a whitelist of allowed built-in that can be useful for arithmetic operations (e.g. round, ceil, int, abs, float...), though. |
Cool! |
Opened #1321 |
@jimlinntu @ogrisel What is the rationale of marking this a security issue? Presumably if someone uses Unless I'm missing something, restricting
The rationale for using |
If someone exposes the pre_dispatch parameter in a user facing web ui or config file for instance they might not expect that this can lead to arbitrary python code injection. |
I would be ok to accept a callable if needed. |
@ogrisel Ok, I see how this might be a potential issue, though I would think this comes down to secure programming practices, i.e. never trust user input. Anyhow, I would prefer if pre_dispatch were changed into accepting expressions as a callable only, or perhaps to document the use of eval(). |
It's not just a user facing web UI. This argument is passed to We certainly shouldn't allow callable as an expression, since that itself again opens the door to easy exploitation. Accepting a callable, however, might be okay. |
Even with the ast-based version, exceptions can escape, e.g. |
This fix was more about arbitrary code execution rather than an exception free run. I think |
As the title shows, if you try to enter a statement in the flag
pre_dispatch
, it will run whatever you want to run.This should present a potential security vulnerability.
joblib/joblib/parallel.py
Line 1020 in 53a8173
The text was updated successfully, but these errors were encountered: