security: Harden codebase against Shell and Eval injection vulnerabilities#507
Open
GiGiKoneti wants to merge 9 commits into
Open
security: Harden codebase against Shell and Eval injection vulnerabilities#507GiGiKoneti wants to merge 9 commits into
GiGiKoneti wants to merge 9 commits into
Conversation
- plot_window.py: Replace dangerous eval() with safe AST-based math expression parser to prevent arbitrary code execution. - pspiceToKicad.py: Remove shell=True from subprocess.run() and use list format to prevent command injection. - tests/test_security_p0.py: Add comprehensive PoC and regression test suite proving exploitation and patch efficacy.
- Replaced dangerous shell=True subprocess calls with safe, list-based execution. - Replaced subprocess rmdir with shutil.rmtree to safely delete model directories. - Fixed a typo (msys_hoscme) in the Windows build path.
…rity-p1-shell-injection-nghdl
…Ruff, Pyright, Pre-commit)
…, enable macOS support
…standalone arm64 pyinstaller build, and beautiful DMG packager
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Audit & Hardening: Shell Injection and Eval Injection
This PR addresses critical vulnerabilities identified during a systemic security audit of the eSim codebase.
Vulnerabilities Fixed:
Arbitrary Code Execution via
eval()inplot_window.py(Custom Formulas)eval()on user inputs, allowing malicious execution of file I/O, process execution, etc.eval()with a robust, custom AST (Abstract Syntax Tree) expression parser that only permits safe, predefined arithmetic operations and exact mathematical function wrappers (np.sin,np.cos,np.log, etc.). It safely parses parentheses-inclusive trace names likev(out)using placeholder mapping.Shell Injections in
ngspice_ghdl.pysubprocess.call(..., shell=True)with unescaped string concatenations allowed command injection.shell=Trueand migrated all process calls (compiling scripts, rmdir/rm operations) to secureshutil.rmtreeand safe list-of-arguments process execution.Shell Injection in
pspiceToKicad.pysubprocess.run(..., shell=True)execution of the parser.sys.executableto targetparser.pycleanly.###Tests:
tests/test_security_p0.pyverifying all 26 edge cases, ensuring the safety of the AST expression parser. All tests are passing 100% green!cc: @VaradhaCodes , @Eyantra698Sumanto