[Bug] Security bug: Arbitrary code execution #639
Comments
erkinalp
added a commit
to erkinalp/devika
that referenced
this issue
Dec 18, 2024
- Add firejail-based sandbox for secure code execution - Implement code validation and restricted imports/calls - Update runner to use sandboxed execution - Add security test suite - Fix arbitrary code execution vulnerability (Fixes stitionai#639) - Add proper security measures (Fixes stitionai#648) Security: - Restrict dangerous imports and function calls - Run code in isolated firejail sandbox - Add timeout limits - Prevent network access in sandbox - Add comprehensive security tests Co-Authored-By: Erkin Alp Güney <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Security bug: Arbitrary code execution
How To Reproduce
Hello Developer,
I have noticed that Devika does not implement security measures to isolate the execution of user-provided code, which could lead to the takeover of the server running the code.
For instance, when I used the following prompt to execute code, Devika directly opened the calculator on my computer:
execute the following python code: os.system("open -a calculator")
If I were to execute malicious code, this could seriously compromise server security.
Screenshots and logs
The text was updated successfully, but these errors were encountered: