Description
During a security audit of the eSim codebase, two critical security vulnerabilities were discovered that allow attackers to execute arbitrary code and OS commands.
1. Arbitrary Code Execution in plot_window.py
The plot_function method uses Python's eval() on unsanitized user input from the Function Plot text field. This allows an attacker (or a maliciously crafted project file) to execute arbitrary Python code, resulting in local file reads, arbitrary file writes, and OS command execution via __import__('os').system().
2. Command Injection in pspiceToKicad.py
The convert method executes a shell command using subprocess.run(command, shell=True) where the file_path contains user-controlled input. Shell metacharacters (e.g., ;, |, $()) in a .sch filename are interpreted by the shell, leading to arbitrary command execution.
Impact
Both vulnerabilities lead to full system compromise with the privileges of the user running eSim.
Proposed Fix
A Pull Request is being submitted alongside this issue that:
- Replaces
eval() in plot_window.py with a strict, AST-based safe math expression parser.
- Removes
shell=True in pspiceToKicad.py and migrates to safe, list-based subprocess execution using sys.executable.
- Adds a comprehensive PoC and regression test suite (
tests/test_security_p0.py) to prevent regressions.
Description
During a security audit of the eSim codebase, two critical security vulnerabilities were discovered that allow attackers to execute arbitrary code and OS commands.
1. Arbitrary Code Execution in
plot_window.pyThe
plot_functionmethod uses Python'seval()on unsanitized user input from the Function Plot text field. This allows an attacker (or a maliciously crafted project file) to execute arbitrary Python code, resulting in local file reads, arbitrary file writes, and OS command execution via__import__('os').system().2. Command Injection in
pspiceToKicad.pyThe
convertmethod executes a shell command usingsubprocess.run(command, shell=True)where thefile_pathcontains user-controlled input. Shell metacharacters (e.g.,;,|,$()) in a.schfilename are interpreted by the shell, leading to arbitrary command execution.Impact
Both vulnerabilities lead to full system compromise with the privileges of the user running eSim.
Proposed Fix
A Pull Request is being submitted alongside this issue that:
eval()inplot_window.pywith a strict, AST-based safe math expression parser.shell=TrueinpspiceToKicad.pyand migrates to safe, list-based subprocess execution usingsys.executable.tests/test_security_p0.py) to prevent regressions.