Eval on query parameters allows arbitrary code execution in SharePoint integration list creation

Products Impacted

This vulnerability is present in MindsDB versions v23.10.5.0 up to v24.7.4.1.

CVSS Score: 8.8

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE Categorization

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Details

To exploit this, an attacker must be authenticated to a MindsDB instance that has the SharePoint integration installed. The vulnerability exists because the value provided for the list column in an ‘INSERT’ statement for the lists table is passed into an eval statement within the create_a_list function in the mindsdb/integrations/handlers/sharepoint_handler/sharepoint_api.py file (shown below – edited to only include the relevant sections).

def create_a_list(
        self, site_id: str, list_template: str, display_name: str, column: str = None
    ) -> None:
        """
        Creates a list with metadata information provided in the params

        site_id: GUID of the site where the list is to be created
        list_template: a string which contains the list template information (type of list)
            eg.- "{'template': 'documentLibrary'}"
        display_name: the display name of the given list, which will be displayed in the site
        column: specifies the list of columns that should be created for the list
            eg.- "[{'name': 'Author', 'text': { }},{'name': 'PageCount', 'number': { }}]"

        Returns
        None
        """
        url = f"https://graph.microsoft.com/v1.0/sites/{site_id}/lists/"
        payload = {}
        if column:
            column = eval(column)
            payload["column"] = column
...

The eval function appears to be used for parsing valid Python data types from arbitrary user input but has the side effect of enabling arbitrary code execution because Python code can be passed to it via the method explained above.