Opened 3 years ago
Closed 3 years ago
#33287 closed Cleanup/optimization (fixed)
eval() in geojson serializer (hardening)
Reported by: | David Wyde | Owned by: | Maxim Piskunov |
---|---|---|---|
Component: | GIS | Version: | 3.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In Django 3.2.9, there is a call to eval() in django/contrib/gis/serializers/geojson.py:
6 class Serializer(JSONSerializer): 38 def get_dump_object(self, obj): 53 data["geometry"] = eval(self._geometry.geojson)
Given an app/models.py of
from django.db import models class Model(models.Model): value = models.Field()
and a demo.py of
from django.core import serializers from app.models import Model class Geo: def __init__(self): self.srid = 4326 self.geojson = '__import__("os").system("ls -l")' geo = Geo() m = Model(value=geo) serializers.serialize('geojson', [m], geometry_field='value')
python3 manage.py shell <demo.py
runs ls -l
.
The above code requires that django.contrib.gis is in INSTALLED_APPS
and apt install gdal-bin
was run on Ubuntu 20.04.
I've been told by the Django security team that this won't be exploited through normal use of the geojson serializer, so this is a hardening issue that can be tracked in Trac.
Change History (8)
comment:1 by , 3 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 3 years ago
comment:3 by , 3 years ago
Type: | Uncategorized → Cleanup/optimization |
---|
comment:4 by , 3 years ago
Has patch: | set |
---|---|
Owner: | changed from | to
Status: | new → assigned |
comment:5 by , 3 years ago
Owner: | changed from | to
---|
It looks like there's https://github.com/django/django/pull/15088, but I submitted https://github.com/django/django/pull/15089.
I'm getting some errors and failures when I run the python3 runtests.py gis_tests --settings settings
where settings.py sets a MySQL GIS backend, but the eval/json.loads change doesn't affect that. I filed https://code.djangoproject.com/ticket/33292 for that.
comment:7 by , 3 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
I've confirmed that switching
eval
tojson.loads
addresses the issue and passes the test suite. David, would you like to submit a PR with this change?