Add attrgetter to DEFAULT unsafe (#70)

protectai · Jan 8, 2024 · e09c6c3 · e09c6c3
1 parent b08ea81
commit e09c6c3
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/modelscan/settings.py b/modelscan/settings.py
@@ -78,6 +78,7 @@
                 "socket": "*",
                 "subprocess": "*",
                 "sys": "*",
+                "operator": "attrgetter",  # Ex of code execution: operator.attrgetter("system")(__import__("os"))("echo pwned")
             },
             "HIGH": {
                 "webbrowser": "*",  # Includes webbrowser.open()