Fix: Remove unsafe exec(raw_command) and restrict command field to app functions#2247
Open
Yunkaiwjs wants to merge 1 commit into
Open
Conversation
…p functions - CVE-94 Code Injection: Removed direct exec() of raw_command from Lambda events. Replaced with ValueError to prevent arbitrary Python code execution. - CVE-94 Arbitrary module import: Restricted the 'command' event field to only allow functions from the configured APP_MODULE, preventing arbitrary module/function imports from unsanitized event data. - Updated test for raw_command to expect ValueError. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes two high-severity security vulnerabilities in the Lambda handler:
Vulnerability 1: Remote Code Execution via
exec(raw_command)(CVE-94, CVSS 8.6)The
raw_commandfield from the Lambda event dictionary was passed directly toexec()with zero sanitization, allowing arbitrary Python code execution from any Lambda event source.Fix: Removed the direct
exec()call. Theraw_commandhandler now raises aValueErrorto prevent any code execution. This is the safest approach sinceexec()on externally-controlled input cannot be safely sanitized.Vulnerability 2: Arbitrary Module Import via
commandField (CVE-94, CVSS 7.5)The
commandevent field allowed importing any Python module and calling any function viaimportlib.import_module(), enabling attackers to invoke arbitrary system functions.Fix: Added a module whitelist check that restricts
commandinvocations to functions within the configuredAPP_MODULEonly. This ensures only the application's own functions can be invoked via this mechanism.Test Update
tests_placebo.pyto expect aValueErrorwhenraw_commandis used, matching the new security behavior.Files Changed
zappa/handler.py: Security fixes for both vulnerabilitiestests/tests_placebo.py: Updated test expectations