Skip to content

FIX make sure pre_dispatch cannot do arbitrary code execution #1321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 5, 2022
Merged

FIX make sure pre_dispatch cannot do arbitrary code execution #1321

merged 2 commits into from
Sep 5, 2022
+12 −2

Conversation

adrinjalali
Copy link
Member

Fixes #1128

Make sure nothing's available to eval for pre_dispatch.

cc @ogrisel

@adrinjalali adrinjalali mentioned this pull request Sep 5, 2022
Closed
@codecov
Copy link

codecov bot commented Sep 5, 2022
edited
Loading

Codecov Report

Merging #1321 (415fa23) into master (1fdf308) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #1321      +/-   ##
==========================================
+ Coverage   93.90%   93.92%   +0.01%     
==========================================
  Files          50       50              
  Lines        7270     7270              
==========================================
+ Hits         6827     6828       +1     
+ Misses        443      442       -1
Impacted Files Coverage Δ
joblib/parallel.py 96.02% <100.00%> (-0.54%) ⬇️
joblib/pool.py 87.80% <0.00%> (-0.82%) ⬇️
joblib/memory.py 95.51% <0.00%> (+0.26%) ⬆️
joblib/backports.py 70.70% <0.00%> (+1.01%) ⬆️
joblib/_store_backends.py 91.79% <0.00%> (+1.02%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ogrisel
Copy link
Contributor

ogrisel commented Sep 5, 2022
edited
Loading

Thanks for the fix! I assume that this is enough but alternatively we could try to use the ast module to parse the tree to check that there are only arithmetic operations involved.

Let's wait for the CI to complete before merging.

@adrinjalali
Copy link
Member Author

I'm not sure if it's worth having this feature if we're going to parse it and add that complexity to the code 😅

@ogrisel ogrisel merged commit b90f10e into joblib:master Sep 5, 2022
@ogrisel
Copy link
Contributor

ogrisel commented Sep 5, 2022

The CI was green, merged.

@adrinjalali adrinjalali deleted the eval branch September 5, 2022 13:19
@GaelVaroquaux
Copy link
Member

Cool!

@adrinjalali adrinjalali mentioned this pull request Sep 12, 2022
Merged
@NicolasGensollen NicolasGensollen mentioned this pull request Sep 30, 2022
Merged
gma added a commit to gma/ngram-builder that referenced this pull request Sep 30, 2022
@gma
Upgrade joblib to fix vulnerability
fe6148e 
See joblib/joblib#1321 for details.
@thomasjpfan thomasjpfan mentioned this pull request Sep 30, 2022
Closed
jeremiedbb pushed a commit to jeremiedbb/joblib that referenced this pull request Oct 7, 2022
@adrinjalali @jeremiedbb
FIX make sure pre_dispatch cannot do arbitrary code execution (joblib…
01b1ed4 
…#1321)
@jeremiedbb jeremiedbb mentioned this pull request Oct 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The potential security vulnerability for the flag pre_dispatch in Parallel() class due to the eval() statement.
3 participants
@adrinjalali @ogrisel @GaelVaroquaux