superset/4.0.2 package update

[octo-sts]

[octo-sts]

bincapz found risk score equal or higher than '4' for any of the files: Click to expand/collapse

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/gunicorn/config.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/backdoor/py_setuptools	Python library installer that evaluates arbitrary code	exec(server)
MEDIUM	3P/threat_hunting/burpsuite	references 'burpsuite' tool, by mthcht	portswigger.net
MEDIUM	admin/package/install	Includes 'pip install' command for installing Python modules	pip install gunicorn
MEDIUM	kernel/platform	system platform identification	sys.platform
MEDIUM	net/download	download files	download
MEDIUM	net/reuseport	reuse TCP/IP ports for listening and connecting	SO_REUSEPORT
MEDIUM	net/upload	uploads files	UploadDir upload_dir
MEDIUM	ref/daemon	Run as a background daemon	--daemon
MEDIUM	ref/path/dev	path reference within /dev	/dev/log
MEDIUM	ref/path/home	references path within /home	/home/djangoprojects/myproject /home/python/mylibrary
MEDIUM	ref/path/relative	references and possibly executes relative path	./gunicorn
MEDIUM	ref/site/php	accesses hardcoded PHP endpoint	https://www.owasp.org/index.php
MEDIUM	ref/words/heartbeat	references a 'heartbeat' - often used by background daemons	The current heartbeat system directory to use for the worker heartbeat tempora
MEDIUM	techniques/code_eval	evaluate code dynamically using exec()	exec(server)
LOW	crypto/tls	tls	TLSVersion
LOW	env/get	Retrieve environment variable values	os.environ['SENDFILE']
LOW	fs/permission/modify	modifies file permissions	fchmod
LOW	fs/watch	monitors filesystem events	inotify
LOW	net/http/request	makes HTTP requests	HTTP/1.
LOW	net/sendfile	transfer data between file descriptors	sendfile
LOW	net/socket/listen	listen on a socket	accept socket
LOW	net/socket/send	send a message to a socket	send socket
LOW	ref/path/etc	path reference within /etc	/etc/ssl/certs/stunnel.key /etc/ssl/certs/stunnel.pem
LOW	ref/path/var	path reference within /var	/var/run/log /var/run/syslog
LOW	ref/site/url	contains embedded HTTPS URLs	https://docs.datadoghq.com/developers/dogstatsd/ https://docs.python.org/3/library/logging.config.html https://portswigger.net/research/http-desync-attacks-request-smuggling-re https://www.openssl.org/docs/manmaster/man1/ciphers.html https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/pip/_internal/utils/setuptools_build.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/backdoor/py_setuptools	Python library installer that evaluates arbitrary code	exec(compile
MEDIUM	techniques/code_eval	evaluate code dynamically using exec()	exec(compile(''' exec(compile(setup
LOW	fd/read	reads from a file handle	f.read()

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/setuptools/discovery.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/backdoor/remote_eval	Executes code from a remote source	include(pack
MEDIUM	fs/directory/traverse	traverse filesystem hierarchy	os.walk
MEDIUM	ref/path/relative	references and possibly executes relative path	./other ./root
MEDIUM	ref/path/root	path reference within /root	/root/is/nested/my/pkg /root/is/nested/pkg

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/setuptools/sandbox.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/backdoor/py_setuptools	Python library installer that evaluates arbitrary code	exec(code
MEDIUM	fs/file/times/set	change file last access and modification times	utime
MEDIUM	fs/permission/modify	modifies file permissions	chmod
MEDIUM	kernel/platform	system platform identification	sys.platform
MEDIUM	techniques/code_eval	evaluate code dynamically using exec()	exec(code,
LOW	fd/read	reads from a file handle	stream.read()
LOW	fs/directory/create	creates directories	mkdir
LOW	fs/directory/remove	Uses libc functions to remove directories	rmdir
LOW	fs/fifo/create	make a FIFO special file (a named pipe)	mkfifo
LOW	fs/file/delete	deletes files	unlink
LOW	fs/link/read	read value of a symbolic link	readlink
LOW	fs/node/create	create device files	mknod
LOW	fs/symlink/resolve	resolves symbolic links	realpath
LOW	process/chroot	change the location of root for the process	chroot
LOW	ref/words/plugin	references a 'plugin'	setuptools_plugin

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/setuptools/package_index.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/dropper/python	setuptools script that fetches and executes
HIGH	combo/backdoor/py_setuptools	Python library installer that executes external commands	os.system("git clone --quiet os.system("hg clone --quiet os.system("svn checkout
MEDIUM	data/embedded/html	Contains HTML content
MEDIUM	exec/program	execute external program	os.system("git clone --quiet os.system("hg clone --quiet os.system("svn checkout
MEDIUM	net/download	download files	Determine download filename Download URL Download error for Download error on Download the file Downloading downloaded alongside the downloaded file as a possible download def _attempt_download def _download_git def _download_hg def _download_html def _download_svn def _download_to def _download_url def download direct package downloading download it to tmpdir download_location it is downloaded to a subpath occurs during downloading or working download links found for possible download problem possibly after downloading it to t download web pages for download URLs zip before download
MEDIUM	net/url/request	requests resources via URL	urllib.request
MEDIUM	ref/words/agent	references an 'agent'	user_agent
LOW	encoding/base64	Supports base64 encoded strings	base64
LOW	fd/read	reads from a file handle	f.read() fp.read()
LOW	fd/write	writes to a file handle	tfp.write(block)
LOW	fs/file/delete	deletes files	unlink
LOW	fs/symlink/resolve	resolves symbolic links	realpath
LOW	fs/tempdir/create	creates temporary directory	temp dir
LOW	net/http/request	makes HTTP requests	User-Agent
LOW	net/url	Handles URL strings	urllib
LOW	ref/site/url	contains embedded HTTPS URLs	https://pypi.org/simple/
LOW	ref/words/password	references a 'password'	password pair s --password

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/app/superset/static/assets/de4c3f61ea16e0647411.chunk.js [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	3P/elceef/html/smuggling	Generic detection for HTML smuggling (T1027.006), by marcin@ulikowski.pl	"click" "download" "msSave .charCodeAt(l)^ .createElement( .createObjectURL( .download= .msSave atob( new Blob( new Uint8Array(
MEDIUM	data/embedded/html	Contains HTML content
MEDIUM	net/download	download files	Download as Image Download as image PDF download failed could not download file download-dashboard download-image download-pdf downloadName download_as_image downloading
MEDIUM	net/http/post	submit content to websites	POST http
MEDIUM	techniques/code_eval	evaluate code dynamically using exec()	exec(e)))t exec(i) exec(o) exec(t))
LOW	encoding/base64	Supports base64 encoded strings	base64
LOW	encoding/json/decode	Decodes JSON messages	JSON.parse
LOW	encoding/json/encode	encodes JSON	JSON.stringify
LOW	fd/write	writes to a file handle	P.write(g) document.write(a) document.write(l) document.write(u) internal.write(o) internal.write(r) r.write(p)
LOW	fs/mount	mounts file systems	-o mount
LOW	ref/site/url	contains embedded HTTPS URLs	https://bit.ly/1dQOfRK https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.1.1/pdfobject.min.js react-dnd/react-dnd#832 https://www.npmjs.com/package/@superset-ui/embedded-sdk
LOW	ref/words/password	references a 'password'	AcroFormPasswordField ownerPassword password processOwnerPassword userPassword
LOW	ref/words/plugin	references a 'plugin'	acroformPlugin mountedPluginMetadata please ensure that a plugin for

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/numba/tests/support.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/backdoor/py_setuptools	Python library installer that evaluates arbitrary code	eval(co
MEDIUM	exec/program	execute external program	subprocess.PIPE, env subprocess.PIPE, timeout subprocess.Popen(cmd, stdout [subprocess.run(sys.executable, '-c', 'exit( subprocess.run(cmd, stdout
MEDIUM	kernel/platform	system platform identification	sys.platform
MEDIUM	process/multiprocess	uses python multiprocessing	multiprocessing
MEDIUM	process/multithreaded	uses python threading	threading.Thread
MEDIUM	techniques/code_eval	evaluate code dynamically using eval()	eval(co,
LOW	fd/read	reads from a file handle	f.read()
LOW	fd/write	writes to a file handle	f.write(lines)
LOW	fs/directory/create	creates directories	mkdir
LOW	fs/tempdir	looks up location of temp directory	gettempdir
LOW	fs/tempdir/create	creates temporary directory	mkdtemp temp dir
LOW	ref/site/url	contains embedded HTTPS URLs	https://eli.thegreenplace.net/2015/redirecting-all-kinds-of-stdout-in-pyt numba/numba#7822

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/numpy/distutils/misc_util.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/backdoor/py_setuptools	Python library installer that evaluates arbitrary code	eval('file' eval('name' eval('self'
MEDIUM	admin/package/install	Includes 'pip install' command for installing Python modules	pip install numpy --no-binary numpy pip install numpy --only-binary
MEDIUM	evasion/lib_alias	aliases core python library to an alternate name	from threading import local as tlocal
MEDIUM	exec/program	execute external program	subprocess.CalledProcessError, OSError subprocess.check_output(['svnversion'], cwd
MEDIUM	exec/shell_command	execute a shell command	system
MEDIUM	fs/directory/traverse	traverse filesystem hierarchy	os.walk
MEDIUM	kernel/platform	system platform identification	sys.platform
MEDIUM	process/multiprocess	uses python multiprocessing	multiprocessing
MEDIUM	ref/path/home	references path within /home	/home/username
MEDIUM	ref/path/tmp	path reference within /tmp	/tmp/sun.dat
MEDIUM	ref/path/usr/lib/python	References paths within /usr/lib/python	/usr/lib/python2.4/site-packages/mypackage /usr/lib/python3.7/site-packages/numpy/core
MEDIUM	ref/path/usr/local	path reference within /usr/local/lib	/usr/local/lib
MEDIUM	ref/words/spoof	references spoofing	setuptools spoofs name to be
MEDIUM	techniques/code_eval	evaluate code dynamically using eval()	eval('self',
LOW	env/get	Retrieve environment variable values	os.environ['PATH']
LOW	fd/read	reads from a file handle	f.read()
LOW	fs/symlink/resolve	resolves symbolic links	realpath
LOW	fs/tempdir/create	creates temporary directory	mkdtemp
LOW	ref/path/hidden	possible hidden file path	/numpy/.dylibs /numpy/.libs
LOW	ref/path/usr/bin	path reference within /usr/bin	/usr/bin/cygpath
LOW	ref/site/url	contains embedded HTTPS URLs	https://bugs.python.org/issue30461 https://cygwin.com/cygwin-api/func-cygwin-conv-path.html https://cygwin.com/cygwin-ug-net/cygpath.html https://web.archive.org/web/20100314204946/http

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/pyarrow/init.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	evasion/python_rename_imports	imports 'os' library and gives it another name	import os as _os
MEDIUM	exec/program	execute external program	subprocess.PIPE, subprocess.Popen(cmd, stdout [subprocess.call(_get_pkg_config_executable(
MEDIUM	kernel/platform	system platform identification	sys.platform
LOW	compression/gzip	works with gzip files	gzip
LOW	compression/zstd	Zstandard: fast real-time compression algorithm	zstd
LOW	ref/site/url	contains embedded HTTPS URLs	https://arrow.apache.org cython/cython#3603

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/setuptools/build_meta.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	combo/backdoor/py_setuptools	Python library installer that evaluates arbitrary code	exec(code
MEDIUM	admin/package/install	Includes 'pip install' command for installing Python modules	pip install -e
MEDIUM	exec/program	execute external program	subprocess
MEDIUM	fs/directory/traverse	traverse filesystem hierarchy	os.walk
MEDIUM	techniques/code_eval	evaluate code dynamically using exec()	exec(code,
LOW	fd/read	reads from a file handle	f.read()

/tmp/bincapz727785606/packages/x86_64/superset-4.0.2-r0.apk/usr/share/superset/venv/lib/python3.11/site-packages/setuptools/command/easy_install.py [🚨 CRITICAL]

RISK	KEY	DESCRIPTION	EVIDENCE
CRITICAL	evasion/py_setuptools/random	Python library installer that exhibits random behavior	import random
HIGH	combo/backdoor/py_setuptools	Python library installer that executes external commands	subprocess.list2cmdline(self)
MEDIUM	evasion/lib_alias	aliases core python library to an alternate name	from os import chmod as _chmod
MEDIUM	exec/program	execute external program	subprocess.list2cmdline([arg] subprocess.list2cmdline(self
MEDIUM	fs/directory/traverse	traverse filesystem hierarchy	os.walk
MEDIUM	fs/file/times/set	change file timestamps	touch has import wrappers
MEDIUM	fs/permission/modify	modifies file permissions	chmod
MEDIUM	kernel/platform	system platform identification	sys.platform
MEDIUM	net/download	download files	Manage a download doing automatic download needed or not download something we downloaded
LOW	env/HOME	Looks up the HOME directory for the current user	HOME getenv
LOW	env/USER	Looks up the USER name of the current user	USER getenv
LOW	env/get	Retrieve environment variable values	os.environ['PATHEXT']
LOW	fd/write	writes to a file handle	f.write(contents) f.write(data)
LOW	fs/file/delete	deletes files	unlink
LOW	fs/tempdir/create	creates temporary directory	mkdtemp
LOW	ref/site/url	contains embedded HTTPS URLs	pypa/setuptools#134 pypa/setuptools#202 https://pypi.org/simple/ https://setuptools.pypa.io/en/latest/deprecated/easy_install.html

[rawlingsj]

CRITICAL bincapz score needs investigating

[tstromberg]

Approved for security.