Redash Sandbox Escape Vulnerability in Python Query Runner

A critical vulnerability allowing sandbox escape has been identified in Redash versions prior to 10.1.0 and 25.1.0. This issue arises in the Python query runner, specifically within the 'run_query' function of the 'query_runner/python.py' file. The vulnerability is caused by the improper handling of the 'getattr' built-in function, which was meant to be replaced by a secure version but instead allows for unauthorized access to Python's object model. This flaw can be exploited without needing to import additional modules, leading to potential remote code execution.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Python sandbox, enabling execution of arbitrary code on the server where Redash is running.

Reproduction

To reproduce this vulnerability, create a Python data source in Redash and then write a query that exploits the 'getattr' vulnerability. The exploitation query should access the 'getattr' function to retrieve sensitive information or execute commands on the server.

Remediation

It is recommended to use the secure '_getattr_' and 'getattr' functions provided by RestrictedPython, along with hardened built-ins to maintain proper sandbox isolation. Additionally, consider running Python queries in isolated containers and applying Linux sandboxing techniques such as AppArmor or seccomp.