Add runpy to unsafe operators

mmaitre314 · May 28, 2024 · 4b58fae · 4b58fae
1 parent d346153
commit 4b58fae
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py
@@ -114,6 +114,7 @@ def __str__(self) -> str:
     "socket": "*",
     "subprocess": "*",
     "sys": "*",
+    "runpy": "*",  # Includes runpy._run_code
     "operator": "attrgetter",  # Ex of code execution: operator.attrgetter("system")(__import__("os"))("echo pwned")
     "pickle": "*",
     "_pickle": "*",

diff --git a/tests/test_scanner.py b/tests/test_scanner.py
@@ -3,6 +3,7 @@
 import importlib
 import io
 import os
+import runpy
 import pickle
 import pytest
 import requests
@@ -83,6 +84,11 @@ def __reduce__(self):
         return pickle.loads, (b"I12345\n.",)  # Loads the value 12345
 
 
+class Malicious14:
+    def __reduce__(self):
+        return runpy._run_code, ("print('456')",)
+
+
 class HTTPResponse:
     def __init__(self, status, data=None):
         self.status = status
@@ -336,6 +342,9 @@ def initialize_pickle_files():
     initialize_pickle_file(
         f"{_root_path}/data/malicious13b.pkl", Malicious13(), 4
     )  # pickle module serialized as _pickle
+    initialize_pickle_file(
+        f"{_root_path}/data/malicious14.pkl", Malicious14(), 4
+    )  # runpy
 
     initialize_zip_file(
         f"{_root_path}/data/malicious1.zip",
@@ -552,6 +561,13 @@ def test_scan_file_path():
         scan_file_path(f"{_root_path}/data/bad_pytorch.pt"), bad_pytorch
     )
 
+    malicious14 = ScanResult(
+        [Global("runpy", "_run_code", SafetyLevel.Dangerous)], 1, 1, 1
+    )
+    compare_scan_results(
+        scan_file_path(f"{_root_path}/data/malicious14.pkl"), malicious14
+    )
+
 
 def test_scan_directory_path():
     sr = ScanResult(
@@ -578,6 +594,7 @@ def test_scan_directory_path():
             Global("requests.api", "get", SafetyLevel.Dangerous),
             Global("builtins", "eval", SafetyLevel.Dangerous),
             Global("builtins", "eval", SafetyLevel.Dangerous),
+            Global("runpy", "_run_code", SafetyLevel.Dangerous),
             Global("socket", "create_connection", SafetyLevel.Dangerous),
             Global("collections", "OrderedDict", SafetyLevel.Innocuous),
             Global("torch._utils", "_rebuild_tensor_v2", SafetyLevel.Innocuous),
@@ -594,9 +611,9 @@ def test_scan_directory_path():
             Global("_pickle", "loads", SafetyLevel.Dangerous),
             Global("_codecs", "encode", SafetyLevel.Suspicious),
         ],
-        scanned_files=27,
-        issues_count=25,
-        infected_files=22,
+        scanned_files=28,
+        issues_count=26,
+        infected_files=23,
         scan_err=True,
     )
     compare_scan_results(scan_directory_path(f"{_root_path}/data/"), sr)