Grist Arbitrary Process Execution Vulnerability in Pyodide Sandbox

A critical vulnerability in Grist spreadsheet software allows arbitrary process execution on the server when formulas are run in a Pyodide sandbox. This issue affects Grist versions prior to 1.7.9. The vulnerability arises because Pyodide on Node lacks a proper sandbox barrier. Users can exploit this by setting the 'GRIST_SANDBOX_FLAVOR' environment variable to 'pyodide' and opening a malicious document. The vulnerability has been patched in Grist version 1.7.9 and later, which runs Pyodide under Deno, a more secure environment.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of processes on the server hosting Grist, potentially allowing attackers to manipulate the server or access sensitive information.

Reproduction

To reproduce this vulnerability, first ensure that Grist is running a version prior to 1.7.9. Set the 'GRIST_SANDBOX_FLAVOR' environment variable to 'pyodide' and start Grist. Then, open a malicious document that exploits this vulnerability. The document can be crafted to include a formula that, when executed, triggers the arbitrary process execution on the server.

Remediation

Users can upgrade to Grist version 1.7.9 or later, where this vulnerability is patched by running Pyodide under Deno. Alternatively, users can use the gvisor-based sandbox by setting 'GRIST_SANDBOX_FLAVOR' to 'gvisor'.