xinyin025/LangBot
1
0
Fork 0
mirror of https://github.com/langbot-app/LangBot.git synced 2026-06-16 18:56:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f4a6edf7ec1bb235b282c72043204edd78454a45
LangBot/tests/test_cwe94_debug_exec.py
huanghuoguoguo f390980d0a test: format test suite (#2252)
2026-06-16 11:22:29 +08:00

56 lines
1.7 KiB
Python
Raw Blame History

"""
PoC test for CWE-94: Authenticated RCE via exec() on user-supplied Python code.
The /api/v1/system/debug/exec endpoint passes raw HTTP body to exec(),
allowing arbitrary code execution when debug_mode is True.
This test verifies that:
1. The exec() endpoint is removed from the codebase entirely.
2. No route matches /api/v1/system/debug/exec.
"""
import ast
import pathlib
# Resolve project root (one level up from tests/)
_PROJECT_ROOT = pathlib.Path(__file__).resolve().parent.parent
VULN_FILE = _PROJECT_ROOT / 'src' / 'langbot' / 'pkg' / 'api' / 'http' / 'controller' / 'groups' / 'system.py'
def test_no_exec_call_in_system_controller():
"""Verify there is no exec() call in system.py that takes user input."""
with open(VULN_FILE, 'r') as f:
source = f.read()
tree = ast.parse(source)
exec_calls = []
for node in ast.walk(tree):
if isinstance(node, ast.Call):
func = node.func
# Match bare exec() call
if isinstance(func, ast.Name) and func.id == 'exec':
exec_calls.append(node.lineno)
assert len(exec_calls) == 0, (
f'Found exec() call(s) at line(s) {exec_calls} in system.py. User-supplied code must never be passed to exec().'
)
def test_no_debug_exec_route():
"""Verify the /debug/exec route is not registered."""
with open(VULN_FILE, 'r') as f:
source = f.read()
assert 'debug/exec' not in source, (
'The /debug/exec route still exists in system.py. '
'This endpoint allows arbitrary code execution and must be removed.'
)
if __name__ == '__main__':
test_no_exec_call_in_system_controller()
test_no_debug_exec_route()
print('All tests passed!')
Reference in New Issue View Git Blame Copy Permalink