How can malicious user input can execute arbitrary code?
See original GitHub issueI was hoping to use static-eval to execute user input without eval
. The user can write expressions using a build-in set of pre-defined functions passed into static-eval’s evaluate. However the readme states:
static-eval is like eval. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.
How could this be done? I couldn’t see how it would be possible.
Does this warning date back to before the 2.0.0 release (i.e. this vunerability: https://maustin.net/articles/2017-10/static_eval) and not apply with the current version?
Issue Analytics
- State:
- Created 5 years ago
- Comments:5
Top Results From Across the Web
What is Arbitrary Code Execution? - GeeksforGeeks
A remote code execution vulnerability occurs when a hacker can execute malicious code across a network rather than on a single device.
Read more >What Is Arbitrary Code Execution? How To ... - TheSecMaster
The arbitrary code execution vulnerability means that an attacker could upload malicious code to a system by exploiting a vulnerability and trick the...
Read more >Arbitrary code execution - Wikipedia
arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or...
Read more >What is Code Injection and How to Avoid It - Invicti
Code injection, or Remote Code Execution (RCE), occurs when an attacker exploits an input validation flaw in software to introduce and ...
Read more >Execute Arbitrary Code - an overview | ScienceDirect Topics
When we build an exploit, executing the shellcode is one of the final steps to gaining access to a remote system. We execute...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
for executing user input, you need a sandbox or a dedicated VM
the latest vulnerability, that was only discovered 2 years after the last version was released, showed how it was possible. check the #20 for the advisory with a PoC