Skip to content

Commit

Permalink
Mark debugger modules as unsafe (#29)
Browse files Browse the repository at this point in the history
* Mark debuggers as dangerous

* lint

---------

Co-authored-by: Matthieu Maitre <[email protected]>
  • Loading branch information
mmaitre314 and mmaitre314 authored Sep 13, 2024
1 parent 345e6ac commit 15c0dbd
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 4 deletions.
2 changes: 1 addition & 1 deletion setup.cfg
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[metadata]
name = picklescan
version = 0.0.16
version = 0.0.17
author = Matthieu Maitre
author_email = [email protected]
description = Security scanner detecting Python Pickle files performing suspicious actions
Expand Down
3 changes: 3 additions & 0 deletions src/picklescan/scanner.py
Original file line number Diff line number Diff line change
Expand Up @@ -114,10 +114,13 @@ def __str__(self) -> str:
"socket": "*",
"subprocess": "*",
"sys": "*",
"shutil": "*",
"runpy": "*", # Includes runpy._run_code
"operator": "attrgetter", # Ex of code execution: operator.attrgetter("system")(__import__("os"))("echo pwned")
"pickle": "*",
"_pickle": "*",
"bdb": "*",
"pdb": "*",
}

#
Expand Down
Binary file added tests/data/malicious14.pkl
Binary file not shown.
Binary file added tests/data/malicious15a.pkl
Binary file not shown.
Binary file added tests/data/malicious15b.pkl
Binary file not shown.
22 changes: 19 additions & 3 deletions tests/test_scanner.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import aiohttp
import bdb
import http.client
import importlib
import io
Expand Down Expand Up @@ -89,6 +90,15 @@ def __reduce__(self):
return runpy._run_code, ("print('456')",)


class Malicious15:
def __reduce__(self):
bd = bdb.Bdb()
return bdb.Bdb.run, (
bd,
'import os\nos.system("whoami")',
)


class HTTPResponse:
def __init__(self, status, data=None):
self.status = status
Expand Down Expand Up @@ -345,6 +355,8 @@ def initialize_pickle_files():
initialize_pickle_file(
f"{_root_path}/data/malicious14.pkl", Malicious14(), 4
) # runpy
initialize_pickle_file(f"{_root_path}/data/malicious15a.pkl", Malicious15(), 2)
initialize_pickle_file(f"{_root_path}/data/malicious15b.pkl", Malicious15(), 4)

initialize_zip_file(
f"{_root_path}/data/malicious1.zip",
Expand Down Expand Up @@ -590,6 +602,7 @@ def test_scan_directory_path():
Global("__builtin__", "dict", SafetyLevel.Suspicious),
Global("__builtin__", "apply", SafetyLevel.Dangerous),
Global("__builtin__", "getattr", SafetyLevel.Dangerous),
Global("__builtin__", "getattr", SafetyLevel.Dangerous),
Global("__builtin__", "globals", SafetyLevel.Suspicious),
Global("requests.api", "get", SafetyLevel.Dangerous),
Global("builtins", "eval", SafetyLevel.Dangerous),
Expand All @@ -610,10 +623,13 @@ def test_scan_directory_path():
Global("pickle", "loads", SafetyLevel.Dangerous),
Global("_pickle", "loads", SafetyLevel.Dangerous),
Global("_codecs", "encode", SafetyLevel.Suspicious),
Global("bdb", "Bdb", SafetyLevel.Dangerous),
Global("bdb", "Bdb", SafetyLevel.Dangerous),
Global("bdb", "Bdb.run", SafetyLevel.Dangerous),
],
scanned_files=28,
issues_count=26,
infected_files=23,
scanned_files=30,
issues_count=30,
infected_files=25,
scan_err=True,
)
compare_scan_results(scan_directory_path(f"{_root_path}/data/"), sr)
Expand Down

0 comments on commit 15c0dbd

Please sign in to comment.