Skip to content

FIX make sure pre_dispatch cannot do arbitrary code execution#1321

Merged
ogrisel merged 2 commits intojoblib:masterfrom
adrinjalali:eval
Sep 5, 2022
Merged

FIX make sure pre_dispatch cannot do arbitrary code execution#1321
ogrisel merged 2 commits intojoblib:masterfrom
adrinjalali:eval

Conversation

@adrinjalali
Copy link
Member

Fixes #1128

Make sure nothing's available to eval for pre_dispatch.

cc @ogrisel

@codecov
Copy link

codecov bot commented Sep 5, 2022

Codecov Report

Merging #1321 (415fa23) into master (1fdf308) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #1321      +/-   ##
==========================================
+ Coverage   93.90%   93.92%   +0.01%     
==========================================
  Files          50       50              
  Lines        7270     7270              
==========================================
+ Hits         6827     6828       +1     
+ Misses        443      442       -1     
Impacted Files Coverage Δ
joblib/parallel.py 96.02% <100.00%> (-0.54%) ⬇️
joblib/pool.py 87.80% <0.00%> (-0.82%) ⬇️
joblib/memory.py 95.51% <0.00%> (+0.26%) ⬆️
joblib/backports.py 70.70% <0.00%> (+1.01%) ⬆️
joblib/_store_backends.py 91.79% <0.00%> (+1.02%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ogrisel
Copy link
Contributor

ogrisel commented Sep 5, 2022

Thanks for the fix! I assume that this is enough but alternatively we could try to use the ast module to parse the tree to check that there are only arithmetic operations involved.

Let's wait for the CI to complete before merging.

@adrinjalali
Copy link
Member Author

I'm not sure if it's worth having this feature if we're going to parse it and add that complexity to the code 😅

@ogrisel ogrisel merged commit b90f10e into joblib:master Sep 5, 2022
@ogrisel
Copy link
Contributor

ogrisel commented Sep 5, 2022

The CI was green, merged.

@adrinjalali adrinjalali deleted the eval branch September 5, 2022 13:19
@GaelVaroquaux
Copy link
Member

Cool!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

The potential security vulnerability for the flag pre_dispatch in Parallel() class due to the eval() statement.

3 participants