6
98%
master: 98%

Ran 21 Aug 2020 06:20AM UTC

Files 274

Run time 11s

Badge

Embed ▾

Committed 21 Aug 2020 06:08AM UTC coverage: 98.016% (-0.005%) from 98.021%

Job # MAKEOPTS="-j4"

Build Type

push

travis-ci-com

Committed by

dpgeorge

Commit Message

tools/pyboard.py: Replace eval() of received data with alternative.

Prior to this commit, pyboard.py used eval() to "parse" file data received
from the board.  Using eval() on received data from a device is dangerous,
because a malicious device may inject arbitrary code execution on the PC
that is doing the operation.

Consider the following scenario:

Eve may write a malicious script to Bob's board in his absence.  On return
Bob notices that something is wrong with the board, because it doesn't work
as expected anymore.  He wants to read out boot.py (or any other file) to
see what is wrong.  What he gets is a remote code execution on his PC.

Proof of concept:

Eve:

  $ cat boot.py
  _print = print
  print = lambda *x, **y: _print("os.system('ls /; echo Pwned!')", end="\r\n\x04")
  $ ./pyboard.py -f cp boot.py :
  cp boot.py :boot.py

Bob:

  $ ./pyboard.py -f cp :boot.py /tmp/foo
  cp :boot.py /tmp/foo
  bin   chroot  dev  home  lib32  media  opt   root  sbin  sys  usr
  boot  config  etc  lib   lib64  mnt    proc  run   srv   tmp  var
  Pwned!

There's also the possibility that the device is malfunctioning and sends
random and possibly dangerous data back to the PC, to be eval'd.

Fix this problem by using ast.literal_eval() to parse the received bytes,
instead of eval().

Signed-off-by: Michael Buesch <m@bues.ch>

Coverage Stats

19466 of 19860 relevant lines covered (98.02%)

422298.63 hits per line

micropython / micropython / 14143 / 6
98%
master: 98%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 14143.6 (MAKEOPTS="-j4")

micropython / micropython / 14143 / 6 98% master: 98%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 14143.6 (MAKEOPTS="-j4")

micropython / micropython / 14143 / 6
98%
master: 98%

README BADGES
x