Skip to content

Security Fix for Insecure Deserialization - huntr.dev#4541

Closed
huntr-helper wants to merge 2 commits intonetworkx:masterfrom
418sec:1-pip-networkx
Closed

Security Fix for Insecure Deserialization - huntr.dev#4541
huntr-helper wants to merge 2 commits intonetworkx:masterfrom
418sec:1-pip-networkx

Conversation

@huntr-helper
Copy link

@huntr-helper huntr-helper commented Jan 14, 2021

https://huntr.dev/users/B3EF has fixed the Insecure Deserialization vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/networkx/1/README.md

User Comments:

📊 Metadata *

Arbitrary code execution fix

Bounty URL: https://www.huntr.dev/bounties/1-pip-networkx

⚙️ Description *

NetworkX is a Python package for the creation, manipulation, and study of the structure, dynamics, and functions of complex networks. This package was vulnerable to Arbitrary code execution via Insecure YAML deserialization due to the use of a known vulnerable function load() in yaml.

💻 Technical Description *

This package was vulnerable to Arbitrary code execution due to the use of a known vulnerable function load() in YAML. Changing that to safe_load or using SafeLoader will fix the issue.

🐛 Proof of Concept (PoC) *

🔥 Proof of Fix (PoF) *

👍 User Acceptance Testing (UAT)

I have just changed the load function to safe_load it ain't going to break anything

B3EF and others added 2 commits December 21, 2020 17:13
@stefanv
Copy link
Contributor

stefanv commented Jan 17, 2021

Test failures seem related.

@jarrodmillman
Copy link
Member

jarrodmillman commented Jan 18, 2021
edited
Loading

This is also a deprecated function that we are planning to remove. My vote would be to just close this.

@dschult
Copy link
Member

dschult commented Jan 20, 2021

See also #4548
We are removing this code in NetworkX v3.0... Maybe not soon enough. :)

@dschult dschult closed this Jan 20, 2021
@robeden robeden mentioned this pull request Apr 9, 2021
Closed
@david2764
Copy link

david2764 commented May 12, 2021

Any chance that you pull the fix into an earlier version? Our security scanning systems are flagging this up.

@dschult
Copy link
Member

dschult commented May 12, 2021

Just to make sure I understand your needs... Would a new release of NetworkX (coming soon) correct your issues?
Or will you need the 2.5.1 version to pass these security scans even after NetworkX moves to v2.6?

@pkfec pkfec mentioned this pull request May 13, 2021
Closed
@ksyme99
Copy link

ksyme99 commented May 18, 2021

Hi, we have a middle-man artifact tool (JFrog) which has a security scanner (Xray) which has blocked networkx due to this vulnerability. We have managed to get an exception added but it would be good to know timescales for a release to resolve to be able to remove the expcetion. My understanding from scanning all the related issues/PR is v2.6 should remove the vulnerability as PyYAML has been updated to remove the unsafe code (the offending function has different loader type, similar to this PR, from #4548). In a future v3 the whole thing is going to go as it is deprecated. Is there a timescale on v2.6 release?

@MridulS
Copy link
Member

MridulS commented May 18, 2021

v2.6 should be out by May 31st.
We have removed pyyaml from v2.6 #4802 so it should solve these issues.

@Stealthii Stealthii mentioned this pull request Jun 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@huntr-helper @stefanv @jarrodmillman @dschult @david2764 @ksyme99 @MridulS @B3EF @JamieSlome