Eval on query parameters allows arbitrary code execution in SharePoint integration list item creation

Products Impacted

This vulnerability is present in MindsDB versions v23.10.5.0 up to v24.7.4.1.

CVSS Score: 8.8

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE Categorization

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Details

To exploit this, an attacker must be authenticated to a MindsDB instance that has the SharePoint integration installed. The vulnerability exists because the value provided for the fields column in an ‘INSERT’ statement for the listItems table is passed into an eval statement in the create_an_item function in the mindsdb/integrations/handlers/sharepoint_handler/sharepoint_api.py file.

def create_an_item(self, site_id: str, list_id: str, fields: str) -> None:
        """
        Creates an item with metadata information provided in the params

        site_id: GUID of the site where the list id present
        list_id: GUID of the list where the item is to be created
        fields: The values of the columns set on this list item.

        Returns
        None
        """
        url = f"https://graph.microsoft.com/v1.0/sites/{site_id}/lists/{list_id}/items/"
        payload = {}
        if fields:
            payload["fields"] = eval(fields)
        create_an_entity(url=url, payload=payload, bearer_token=self.bearer_token)

The eval function appears to be used for parsing valid Python data types from arbitrary user input but has the side effect of enabling arbitrary code execution because Python code can be passed to it via the method explained above