question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How can malicious user input can execute arbitrary code?

See original GitHub issue

I was hoping to use static-eval to execute user input without eval. The user can write expressions using a build-in set of pre-defined functions passed into static-eval’s evaluate. However the readme states:

static-eval is like eval. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.

How could this be done? I couldn’t see how it would be possible.

Does this warning date back to before the 2.0.0 release (i.e. this vunerability: https://maustin.net/articles/2017-10/static_eval) and not apply with the current version?

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:5

github_iconTop GitHub Comments

1reaction
pocesarcommented, Mar 8, 2019

for executing user input, you need a sandbox or a dedicated VM

0reactions
pocesarcommented, Mar 10, 2019

the latest vulnerability, that was only discovered 2 years after the last version was released, showed how it was possible. check the #20 for the advisory with a PoC

Read more comments on GitHub >

github_iconTop Results From Across the Web

What is Arbitrary Code Execution? - GeeksforGeeks
A remote code execution vulnerability occurs when a hacker can execute malicious code across a network rather than on a single device.
Read more >
What Is Arbitrary Code Execution? How To ... - TheSecMaster
The arbitrary code execution vulnerability means that an attacker could upload malicious code to a system by exploiting a vulnerability and trick the...
Read more >
Arbitrary code execution - Wikipedia
arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or...
Read more >
What is Code Injection and How to Avoid It - Invicti
Code injection, or Remote Code Execution (RCE), occurs when an attacker exploits an input validation flaw in software to introduce and ...
Read more >
Execute Arbitrary Code - an overview | ScienceDirect Topics
When we build an exploit, executing the shellcode is one of the final steps to gaining access to a remote system. We execute...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found