Headline
CVE-2023-43364: removed eval from search cli method by dan-pavlov · Pull Request #130 · ArjunSharda/Searchor
main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution.
What is this Pull Request About?
The simple change in this pull request replaces the execution of search method in the cli code from using eval to calling search on the specified engine by passing engine as an attribute of Engine class. Because enum in Python is a set of members, each being a key-value pair, the syntax for getting members is the same as passing a dictionary.
What will this Pull Request Affect?
This pull request removes the use of eval in the cli code, achieving the same functionality while removing vulnerability of allowing execution of arbitrary code.
Related news
An issue in Arjun Sharda's Searchor before version v.2.4.2 allows an attacker to execute arbitrary code via a crafted script to the eval() function in Searchor's src/searchor/main.py file, affecting the search feature in Searchor's CLI (Command Line Interface). ### Impact Versions equal to, or below 2.4.1 are affected. ### Patches Versions above, or equal to 2.4.2 have patched the vulnerability. ### References https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit- https://github.com/jonnyzar/POC-Searchor-2.4.2 https://github.com/ArjunSharda/Searchor/pull/130