Eval on query parameters allows arbitrary code execution in SharePoint integration site column creation

Products Impacted

This vulnerability is present in MindsDB versions v23.10.5.0 up to v24.7.4.1.

CVSS Score: 8.8

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE Categorization

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Details

To exploit this, an attacker must be authenticated to a MindsDB instance that has the SharePoint integration installed. The vulnerability exists because the value provided for the text column in an ‘INSERT’ statement for the siteColumns table is passed into an eval statement in the create_a_site_column function in the mindsdb/integrations/handlers/sharepoint_handler/sharepoint_api.py file (shown below – edited to only include the relevant sections).

def create_a_site_column(
        self,
        site_id: str,
        enforce_unique_values: bool,
        hidden: bool,
        indexed: bool,
        name: str,
        text: str = None,
    ) -> None:
        """
        Creates a list with metadata information provided in the params
        site_id: GUID of the site where the column is to be created
        enforced_unique_values: if true, no two list items may have the same value for this column
        hidden: specifies whether the column is displayed in the user interface
        name: the API-facing name of the column as it appears in the fields on a listItem.
        text: details regarding the text values in the column

        Returns
        None
        """
        url = f"https://graph.microsoft.com/v1.0/sites/{site_id}/columns/"
        payload = {}
        if text:
            text = eval(text)
            payload["text"] = text
...

The eval function appears to be used for parsing valid Python data types from arbitrary user input but has the side effect of enabling arbitrary code execution because Python code can be passed to it via the method explained above.