GHSA-4675-36f9-wf6r: Picklescan does not block ctypes
Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to
- Load DLLs
- Call C functions directly
- Manipulate memory raw pointers.
This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.
This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected
References
- github.com/advisories/GHSA-4675-36f9-wf6r
- github.com/mmaitre314/picklescan
- github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab
- github.com/mmaitre314/picklescan/pull/53
- github.com/mmaitre314/picklescan/releases/tag/v0.0.33
- github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r
Code Behaviors & Features
Detect and mitigate GHSA-4675-36f9-wf6r with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →