Kedro Remote Code Execution Vulnerability via Micro Package Pulling

A remote code execution vulnerability exists in Kedro version 0.19.8. The issue arises in the `pull_package()` API function, which allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` can execute the `setup.py` file inside the downloaded tar file, leading to remote code execution by running arbitrary commands on the victim's machine.

Impact

Exploitation of this vulnerability allows for remote code execution on the victim's machine.

Reproduction

To reproduce this vulnerability, create a `setup.py` file that includes a command to execute (e.g., using `os.system()` to run a command that creates a file). Package this `setup.py` file into a tar.gz archive, ensuring that the `setup.py` is placed in the root directory of the archive. Then, upload this archive to a server where it can be accessed via a URL. Once the archive is hosted, use the Kedro command `kedro micropkg pull` followed by the URL of the malicious tar.gz file. After the command is executed, the specified file will be created on the victim's machine, demonstrating the remote code execution.