AntaresMugisho PyBlade Code Injection Vulnerability Allowing Remote Code Execution

A code injection vulnerability has been identified in AntaresMugisho PyBlade versions 0.1.8-alpha and 0.1.9-alpha, as well as in 0.2.0-alpha. This vulnerability arises from unsafe expression evaluation in the template rendering process, specifically within the AST validation component. The issue allows access to dangerous Python magic methods, leading to remote code execution by exploiting Python's object model. The vulnerability has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where PyBlade is used.

Reproduction

The vulnerability can be reproduced by using the PyBlade template engine to render a template that includes specific payloads. In versions 0.1.8-alpha and 0.1.9-alpha, the payload can bypass the AST validation by using 'ast.Constant' nodes to access dangerous magic methods. In version 0.2.0-alpha, the same payload can be used directly because the 'eval()' function is called without any security checks.

Remediation

Users are advised to upgrade to the latest version of PyBlade, which includes a fixed AST validation that properly checks all node types and blocks access to private attributes.