superset-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <>
Subject [GitHub] [incubator-superset] kelly-grizzle-sp opened a new issue #10785: Remote code execution via jinja2 template injection
Date Thu, 03 Sep 2020 19:11:07 GMT

kelly-grizzle-sp opened a new issue #10785:

   Commands can be run on the operating system of the server hosting superset by using the
"uuid" module that is made available to jinja2 templates.
   #### Screenshots
   <img width="1241" alt="Screen Shot 2020-09-03 at 2 08 56 PM" src="">
   <img width="1665" alt="Screen Shot 2020-09-03 at 2 09 31 PM" src="">
   #### How to reproduce the bug
   1. Go to Charts
   2. Click on the plus sign to create a new chart.
   3. Choose any datasource and use the "Table" viz type.
   4. Select any field in the "Filters" field.
   5. Click the "Custom SQL" tab.
   6. After the equals sign, add the following (including the quotes): '{{ uuid.os.popen('ls
   7. Click Save to save the custom SQL.
   8. Click the "Run Query" button.
   9. Click the "View Query" menu item from the hamburger menu at the top right of the chart.
   10. You will see the results of running the `ls` command on the file system in the query.
 Note: this command is non-destructive but a user could issue any command that is available
in the PATH of the underlying OS.
   ### Environment
   - superset version: Superset 0.999.0dev (70c676478080bb0daec8cd0768cf7d01cdd309ea)
   - python version: Python 3.7.3
   - node.js version: v10.15.1
   - npm version: 6.4.1
   ### Checklist
   Make sure these boxes are checked before submitting your issue - thank you!
   - [X] I have checked the superset logs for python stacktraces and included it here as text
if there are any.
   - [X] I have reproduced the issue with at least the latest released version of superset.
   - [X] I have checked the issue tracker for the same issue and I haven't found one similar.

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message