From 15c0dbd3bbe4dae46301acfc1cc6e7de5b856509 Mon Sep 17 00:00:00 2001 From: Matthieu Maitre Date: Fri, 13 Sep 2024 08:17:05 -0700 Subject: [PATCH] Mark debugger modules as unsafe (#29) * Mark debuggers as dangerous * lint --------- Co-authored-by: Matthieu Maitre --- setup.cfg | 2 +- src/picklescan/scanner.py | 3 +++ tests/data/malicious14.pkl | Bin 0 -> 53 bytes tests/data/malicious15a.pkl | Bin 0 -> 175 bytes tests/data/malicious15b.pkl | Bin 0 -> 134 bytes tests/test_scanner.py | 22 +++++++++++++++++++--- 6 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 tests/data/malicious14.pkl create mode 100644 tests/data/malicious15a.pkl create mode 100644 tests/data/malicious15b.pkl diff --git a/setup.cfg b/setup.cfg index dff8e15..c52dab0 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,6 +1,6 @@ [metadata] name = picklescan -version = 0.0.16 +version = 0.0.17 author = Matthieu Maitre author_email = mmaitre314@users.noreply.github.com description = Security scanner detecting Python Pickle files performing suspicious actions diff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py index 145bd49..08965ed 100644 --- a/src/picklescan/scanner.py +++ b/src/picklescan/scanner.py @@ -114,10 +114,13 @@ def __str__(self) -> str: "socket": "*", "subprocess": "*", "sys": "*", + "shutil": "*", "runpy": "*", # Includes runpy._run_code "operator": "attrgetter", # Ex of code execution: operator.attrgetter("system")(__import__("os"))("echo pwned") "pickle": "*", "_pickle": "*", + "bdb": "*", + "pdb": "*", } # diff --git a/tests/data/malicious14.pkl b/tests/data/malicious14.pkl new file mode 100644 index 0000000000000000000000000000000000000000..478ddf1b317c309db12016af09493eab73cc34dd GIT binary patch literal 53 zcmZo*nX1JA0X?imrFjLFQ+hb#fsFX%{FKxwlc)6X6clCVm1wA&n3}0;PHCMIG(`^p Dsap|g literal 0 HcmV?d00001 diff --git a/tests/data/malicious15a.pkl b/tests/data/malicious15a.pkl new file mode 100644 index 0000000000000000000000000000000000000000..8a366becacf9ca620cd2fc93763946de487ca105 GIT binary patch literal 175 zcmWlOy$*sf7)6U9X#L>{Obin&JcJLxz|^g2YlQ||_}UWVK%xuJZ5>W>&pn@wpp?(* z>6M`rchWQOEe0g`o#R^oA`&Bn>}+7OLfk^qN7Wa$3#27ULUDtdAZth(Hn)-u4t5Ld zNf!KJ1QWdkyug9v|HCpZsg-`VMwt$d&CJOq1f{3Z`s?WM=xX