Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: add bentoml insecure deserlization plugin #520

Merged
merged 9 commits into from
Oct 23, 2024
Merged

Feat: add bentoml insecure deserlization plugin #520

merged 9 commits into from
Oct 23, 2024

Conversation

secureness
Copy link
Contributor

@secureness secureness commented Jul 29, 2024
edited
Loading

The issue of this PR: #482
The testbed: google/security-testbeds#73

@secureness secureness mentioned this pull request Jul 29, 2024
Merged
@secureness
Copy link
Contributor Author

@tooryx could you help me on this issue too? In case your colleague was busy.

@tooryx tooryx linked an issue Aug 6, 2024 that may be closed by this pull request
AI PRP: BentoML Insecure Deserialization RCE #482
Closed
@tooryx tooryx added the Contributor main The main issue a contributor is working on (top of the contribution queue). label Aug 6, 2024
@lokiuox lokiuox self-requested a review August 15, 2024 18:23
lokiuox
lokiuox suggested changes Aug 15, 2024
View reviewed changes
Copy link
Collaborator

@lokiuox lokiuox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @secureness, thanks for your contribution!

First of all, about your issues with Tsunami, the two CLI switches you're referencing were added pretty recently. Just make sure you're not using the Tsunami JAR from the release section, but rather compile everything from source. I'd suggest just purging everything and running the quick_start_advanced.sh script from scratch.

Also, I've found that I needed to append this to my yaml config, otherwise I'd get a Nullptr Exception:

common:
  net:
    http:
      trust_all_certificates: true
      connect_timeout_seconds: 30

About the plugin, I confirm it's working after fixing the small bugs I've highlighted in the review.

Please after addressing the review comments, also make sure to do the following:

  • Try to fix the indentation, some lines seem extra-indented and a few multiline strings start and end at different indentation levels
  • Add a file with the test cases. You can take inspiration from the other Python plugins in the repo

py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
@secureness
Copy link
Contributor Author

I'll add the test cases soon, sorry I didn't notice that Python plugins have test cases too :)

@secureness
Copy link
Contributor Author

@lokiuox I added the tests.

lokiuox
lokiuox suggested changes Sep 2, 2024
View reviewed changes
Copy link
Collaborator

@lokiuox lokiuox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @secureness, I added a few more comments

py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector_tests.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector_tests.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
@secureness
snake_case for variables, remove unused imports, sort imports, fix a …
43413b8 
…mistake about wrong indent

thanks to the lokiuox
lokiuox
lokiuox reviewed Sep 21, 2024
View reviewed changes
Copy link
Collaborator

@lokiuox lokiuox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @secureness, I've left two comments on a a few minor things, besides those the plugin looks good.

py_plugins/bentoml_deserialization_rce/bentoml_rce_detector.py Outdated Show resolved Hide resolved
py_plugins/bentoml_deserialization_rce/bentoml_rce_detector_tests.py Outdated Show resolved Hide resolved
@lokiuox
Copy link
Collaborator

lokiuox commented Sep 23, 2024

Hi @secureness, I just noticed that the plugin lacks a check to ensure that the service is indeed BentoML before calling _IsServiceVulnerable(). If you could add a simple check in _IsSupportedService or Detect (e.g. calling an API or requesting a page that is specific to BentoML) that would be great. I'm otherwise ready to mark this plugin as approved.

@lokiuox
Copy link
Collaborator

lokiuox commented Oct 15, 2024

LGTM - Approved
@maoning we can merge this and google/security-testbeds#73

Reviewer: Savio, Doyensec
Plugin: BentoML Insecure Deserialization RCE - CVE-2024-2912

@lokiuox lokiuox added the lgtm label Oct 15, 2024
@tooryx
Copy link
Member

tooryx commented Oct 22, 2024

Hi @secureness,

This is being reviewed internally and should be merged in a few days.

~tooryx

@copybara-service copybara-service bot merged commit 55cd706 into google:master Oct 23, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lokiuox lokiuox lokiuox requested changes

Assignees

@secureness secureness

Labels
Contributor main The main issue a contributor is working on (top of the contribution queue). lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AI PRP: BentoML Insecure Deserialization RCE
3 participants
@secureness @lokiuox @tooryx