🛡️ Sentinel: [CRITICAL] Fix Arbitrary Code Execution in Type Resolution Eval#351
🛡️ Sentinel: [CRITICAL] Fix Arbitrary Code Execution in Type Resolution Eval#351bashandbone wants to merge 1 commit into
Conversation
The `_safe_eval_type` function in `src/codeweaver/core/di/container.py` validates type strings before calling `eval()` using an AST pass. It permitted `ast.Call` nodes to allow for annotations like `Annotated[T, Depends(...)]`. However, this could lead to arbitrary code execution by an attacker exploiting functions in the `globalns` passed to the eval environment (e.g., executing `os.system(...)`). This commit updates the `TypeValidator` to enforce a strict allowlist of functions within `ast.Call` nodes (`Depends`, `depends`, `Field`, `PrivateAttr`), and ensures `node.func` is always an `ast.Name` to prevent object attribute access (dot notation) attacks. Co-authored-by: bashandbone <89049923+bashandbone@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Reviewer's guide (collapsed on small PRs)Reviewer's GuideTightens the AST-based type evaluation in the DI container to only allow a small, explicit set of safe function calls during eval, preventing arbitrary code execution, and records the incident and mitigation details in the Sentinel security log. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
🤖 Hi @bashandbone, I've received your request, and I'm working on it now! You can track my progress in the logs for more details. |
|
🤖 I'm sorry @bashandbone, but I was unable to process your request. Please see the logs for more details. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- Consider extracting the
allowed_funcsset to a module- or class-level constant so the whitelist is defined in a single place and easier to audit or extend in future changes.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider extracting the `allowed_funcs` set to a module- or class-level constant so the whitelist is defined in a single place and easier to audit or extend in future changes.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Pull request overview
This PR addresses a critical arbitrary code execution vulnerability in _safe_eval_type within the DI container. The AST validator previously allowed any ast.Call node, enabling arbitrary function execution via eval() since the call could resolve to functions in the supplied globalns. The fix restricts ast.Call to a small whitelist of known type-annotation helpers and forbids attribute-based calls.
Changes:
- Add a whitelist (
Depends,depends,Field,PrivateAttr) forast.Callfunction names inTypeValidator.generic_visit. - Require
node.functo be anast.Name(rejectsobj.method()style calls). - Document the vulnerability and prevention in
.jules/sentinel.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/codeweaver/core/di/container.py | Enforces strict call whitelist in the AST type validator to block arbitrary code execution. |
| .jules/sentinel.md | Adds postmortem entry documenting the vulnerability and mitigation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The
_safe_eval_typemethod insrc/codeweaver/core/di/container.pywas found to have a severe Arbitrary Code Execution vulnerability.The AST pass allowed
ast.Callnodes so that Pydantic fields or Dependency Injection annotations (e.g.Depends()) could be evaluated viaeval(). Becauseevalis called with aglobalnsenvironment (which can contain local functions and imports), an attacker could execute arbitrary functions by supplying an unexpected type string (like"ExploitClass().execute()").Fix
The
TypeValidator.generic_visitmethod was updated:Depends,depends,Field,PrivateAttr).node.funcmust be anast.Nameto prevent dot notation attacks (e.g.os.system).Tests have been run, confirming the exploit is prevented, while DI container functions remain fully operational. Learnings have been documented in
.jules/sentinel.md.PR created automatically by Jules for task 2303909245205650646 started by @bashandbone
Summary by Sourcery
Harden type resolution evaluation in the DI container to prevent arbitrary code execution and document the related security incident in Sentinel notes.
Bug Fixes:
Documentation: