Nice to meet you, ma fren π«‘. Sorry, I ain't DEVing that much βοΈ , primarily due to the nature of maintaining Open Source projects π·, while also gigging π°. Anyways, stay humble like a bumblebee π.
The other day, I was tinkering around that library hunting for security vulns, turns out that the majority of os methods are blocked by default. So, I was attempting the following:
with open("/lib/python3.10/hacky_module.py", "wt") as f:
f.write("import os;command = "ls-la";print(os.system(command))")
import hacky_module
Which gives the following output:
-1
Meaning that an error was thrown. However, you can run the following:
So, the framework is pretty secure. Other than the race condition, the only downside is being ridiculously slow. I am not sure whether or not it is a problem tied to the framework or the language itself: python. Most likely the latter. I will be investigating this over the weekend.
It runs in WASM so any vulnerabilities you'd get would be browser vulnerabilities, right?
There's probably some fake emulated "file system", wasm running in the browser has no access to platform files.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The other day, I was tinkering around that library hunting for security vulns, turns out that the majority of
osmethods are blocked by default. So, I was attempting the following:Which gives the following output:
Meaning that an error was thrown. However, you can run the following:
which returns:
Same for the
subprocessmodule:Which throws an error when executing it.
So, the framework is pretty secure. Other than the race condition, the only downside is being ridiculously slow. I am not sure whether or not it is a problem tied to the framework or the language itself: python. Most likely the latter. I will be investigating this over the weekend.
It runs in WASM so any vulnerabilities you'd get would be browser vulnerabilities, right?
There's probably some fake emulated "file system", wasm running in the browser has no access to platform files.