Skip to content

FIX make sure pre_dispatch cannot do arbitrary code execution#1321

Merged
ogrisel merged 2 commits intojoblib:masterfrom
adrinjalali:eval
Sep 5, 2022
Merged

FIX make sure pre_dispatch cannot do arbitrary code execution#1321
ogrisel merged 2 commits intojoblib:masterfrom
adrinjalali:eval

Conversation

@adrinjalali
Copy link
Member

@adrinjalali adrinjalali commented Sep 5, 2022

Fixes #1128

Make sure nothing's available to eval for pre_dispatch.

cc @ogrisel

@adrinjalali adrinjalali mentioned this pull request Sep 5, 2022
Closed
@codecov
Copy link

codecov bot commented Sep 5, 2022
edited
Loading

Codecov Report

Merging #1321 (415fa23) into master (1fdf308) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #1321      +/-   ##
==========================================
+ Coverage   93.90%   93.92%   +0.01%     
==========================================
  Files          50       50              
  Lines        7270     7270              
==========================================
+ Hits         6827     6828       +1     
+ Misses        443      442       -1
Impacted Files Coverage Δ
joblib/parallel.py 96.02% <100.00%> (-0.54%) ⬇️
joblib/pool.py 87.80% <0.00%> (-0.82%) ⬇️
joblib/memory.py 95.51% <0.00%> (+0.26%) ⬆️
joblib/backports.py 70.70% <0.00%> (+1.01%) ⬆️
joblib/_store_backends.py 91.79% <0.00%> (+1.02%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ogrisel
Copy link
Contributor

ogrisel commented Sep 5, 2022
edited
Loading

Thanks for the fix! I assume that this is enough but alternatively we could try to use the ast module to parse the tree to check that there are only arithmetic operations involved.

Let's wait for the CI to complete before merging.

@adrinjalali
Copy link
Member Author

adrinjalali commented Sep 5, 2022

I'm not sure if it's worth having this feature if we're going to parse it and add that complexity to the code 😅

@ogrisel ogrisel merged commit b90f10e into joblib:master Sep 5, 2022
@ogrisel
Copy link
Contributor

ogrisel commented Sep 5, 2022

The CI was green, merged.

@adrinjalali adrinjalali deleted the eval branch September 5, 2022 13:19
@GaelVaroquaux
Copy link
Member

GaelVaroquaux commented Sep 5, 2022

Cool!

@adrinjalali adrinjalali mentioned this pull request Sep 12, 2022
Merged
@NicolasGensollen NicolasGensollen mentioned this pull request Sep 30, 2022
Merged
gma added a commit to gma/ngram-builder that referenced this pull request Sep 30, 2022
@gma
Upgrade joblib to fix vulnerability
fe6148e 
See joblib/joblib#1321 for details.
@thomasjpfan thomasjpfan mentioned this pull request Sep 30, 2022
Closed
jeremiedbb pushed a commit to jeremiedbb/joblib that referenced this pull request Oct 7, 2022
@adrinjalali @jeremiedbb
FIX make sure pre_dispatch cannot do arbitrary code execution (joblib…
01b1ed4 
…#1321)
@jeremiedbb jeremiedbb mentioned this pull request Oct 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The potential security vulnerability for the flag pre_dispatch in Parallel() class due to the eval() statement.

3 participants

@adrinjalali @ogrisel @GaelVaroquaux