You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All of the Python SSE servers currently support arbitrary command injection. Some of the other examples do a better job restricting functions to expected code input.
Mutual TLS should be in front of these servers, but in case it's not configured anyone can execute arbitrary OS commands fairly easily against the examples.
The eval and exec functions are unsafe for user input. It'd be good to update the examples with a more secure server for users to use as a template.
Steps to Reproduce
Set up a Qlik analytic connection and run any of the example Python servers, such as helloworld
Configure the extension editor in Qlik to run SSEPython.ScriptEvalStr('__import__("os").popen("ls -la").read()', HelloWorldData). Modify the output field if not using the SSE_Hello_World.qvf to another string field.
Apply the expression and observe that the server executes ls -la on the host.
For columnoperations: SSEPython.ScriptEval('__import__("os").popen("ls -la").read()', [], HelloWorldData)
For fullscriptsupport_pandas (which used exec instead of eval): SSEPython.ScriptEval('__import__("os").popen("touch /tmp/x").read()')
The fullscriptsupport example can use the same payload as the helloworld example.
Expected behavior
The example servers should be secure against remote code execution vulnerabilities.
Actual behavior
Unexpected users can execute OS commands on servers hosting the Python examples.
Environment
Operating system
[ ] Windows
[X] Linux
Qlik Sense
[ ] Desktop
[X] Server
Versions
server-side-extension: Latest
Qlik Sense:
Operating system:
[Other relevant versions]
The text was updated successfully, but these errors were encountered:
Description
All of the Python SSE servers currently support arbitrary command injection. Some of the other examples do a better job restricting functions to expected code input.
Mutual TLS should be in front of these servers, but in case it's not configured anyone can execute arbitrary OS commands fairly easily against the examples.
The
evalandexecfunctions are unsafe for user input. It'd be good to update the examples with a more secure server for users to use as a template.Steps to Reproduce
SSEPython.ScriptEvalStr('__import__("os").popen("ls -la").read()', HelloWorldData). Modify the output field if not using the SSE_Hello_World.qvf to another string field.ls -laon the host.For columnoperations:
SSEPython.ScriptEval('__import__("os").popen("ls -la").read()', [], HelloWorldData)For fullscriptsupport_pandas (which used
execinstead ofeval):SSEPython.ScriptEval('__import__("os").popen("touch /tmp/x").read()')The fullscriptsupport example can use the same payload as the helloworld example.
Expected behavior
The example servers should be secure against remote code execution vulnerabilities.
Actual behavior
Unexpected users can execute OS commands on servers hosting the Python examples.
Environment
Operating system
Qlik Sense
Versions
The text was updated successfully, but these errors were encountered: