Hacker News new | ask | show | jobs
by anglebracket 4505 days ago
Hmm, all these eval() calls using data from cookies[0]... is this vulnerable to remote code execution? I think those eval() calls should be json.loads().

[0] https://github.com/k3oni/pydash/blob/1317771275aa118a40df1ec...
2 comments
k3oni 4505 days ago
Those evals() are valid only if user is authenticated, if there is no authentication then no eval() will be performed on the cookies.
link
anglebracket 4505 days ago
True, but just because you trust someone to access the dashboard doesn't mean you trust them to execute code on your server. There are other things to consider as well, like MITM attacks, and that an XSS hole would let the attacker set their own cookies.

The data in the cookies is just JSON, right? If json.loads() would work here you should switch to that instead.

link
k3oni 4505 days ago
Good point there, i'll look into limiting the eval().

I would hope that people won't give access to everyone to the dashboard, wasn't really build for that, or at least that wasn't my initial idea.

link
hegga 4505 days ago
doesn't this get even worse since the python server is run by root?
link