-
Notifications
You must be signed in to change notification settings - Fork 15.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prompt injection which leads to arbitrary code execution #7700
Labels
🤖:bug
Related to a bug, vulnerability, unexpected error with an existing feature
Comments
dosubot
bot
added
the
🤖:bug
Related to a bug, vulnerability, unexpected error with an existing feature
label
Jul 14, 2023
Alright, it seems that the agent which used PoC: import os
from langchain.agents.agent_toolkits import create_python_agent
from langchain.tools.python.tool import PythonREPLTool
from langchain.python import PythonREPL
from langchain.llms.openai import OpenAI
from langchain.agents.agent_types import AgentType
from langchain.chat_models import ChatOpenAI
os.environ["OPENAI_API_KEY"] =
agent_executor = create_python_agent(
llm=OpenAI(temperature=0, max_tokens=1000),
tool=PythonREPLTool(),
verbose=True,
agent_type=AgentType.ZERO_SHOT_REACT_DESCRIPTION,
)
agent_executor.run("__import__('os').system('ls')") Output:
|
#5640 would solve this, but hasn't been merged. |
Any updates on addressing this vulnerability? |
14 tasks
PR to deprecate it from langchain: #12427 |
PR merged and fix has been released https://github.com/langchain-ai/langchain/releases/tag/v0.0.325. Closing this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
System Info
langchain: 0.0.232
os: ubuntu 20.04
python: 3.9.13
Who can help?
No response
Information
Related Components
Reproduction
To reproduce this vuln, you can simply run this script with your own OpenAI key:
In which
test.csv
is just a normal csv file that you can use arbitrary csv file.Output log:
Expected behavior
Expected: No code is execued.
Suggestion: Add a sanitizer to check the sensitive prompt and code before passing it into
PythonAstREPLTool
.Root Cause: This vuln is caused by
PythonAstREPLTool._run
, it can run arbitrary code without any checking.Real World Impact: The prompt is always exposed to users, so malicious prompt may lead to remote code execution when these agents are running in a remote server.
The text was updated successfully, but these errors were encountered: