Uploaded image for project: 'AI Platform Core Components'
  1. AI Platform Core Components
  2. AIPCC-9494

[BOT][Security] CWE-78 in runner.py:1369

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Vulnerability Details

      CWE Type(s): CWE-78 (OS Command Injection)
      Severity: HIGH
      Team: PyTorch Compile

      Location

      • File: benchmarks/dynamo/runner.py
      • Lines: 1369

      Description

      Command injection vulnerability in benchmark runner subprocess execution. The affected code uses subprocess.check_call() with shell=True and f-string formatting, allowing command injection through unsanitized variables (day, dtype, target_dir). Variables could contain shell metacharacters leading to arbitrary command execution.

      Impact

      • Arbitrary command execution with application privileges during benchmark execution
      • Potential system compromise through malicious benchmark parameters
      • CI/CD pipeline security risk
      • Data exfiltration or tampering with benchmark results

      Root Cause

      The code at line 1369 uses subprocess.check_call() with shell=True parameter and f-string interpolation without proper input validation or sanitization. Shell metacharacters in any of the variables (day, dtype, target_dir) would be interpreted by the shell, allowing command injection.

      Fix Status

      MR Link: https://gitlab.com/redhat/rhel-ai/team-pytorch/pytorch/-/merge_requests/41
      Fix Branch: security-fix-cwe78-runner-shell
      Status: IMPLEMENTED

      Fix Summary: Replaced subprocess.check_call with shell=True with Python file operations to write to lookup file safely.

      Related Exploit Files

      • test_cmdi_runner.py - Regression test validating the fix

      Exploit Code Sample

      # VULNERABLE CODE (line 1369):
subprocess.check_call(
    f'echo "{day},performance,{dtype},{target_dir}" >> {self.lookup_file}',
    shell=True
)

# ATTACK VECTOR:
day = '2024-01-01"; cat /etc/passwd #'
# Results in command: echo "2024-01-01"; cat /etc/passwd #,performance,..." >> file
# Executes: cat /etc/passwd

# SAFE FIX:
with open(self.lookup_file, 'a') as f:
    f.write(f"{day},performance,{dtype},{target_dir}\n")

      References

      Generated by CI Security Bot

        1. test_cmdi_runner.py
          8 kB
        2. test_cwe78_runner_shell_injection.py
          11 kB

              Unassigned Unassigned
              pytorch-engineering PyTorch Engineering
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: