Description

credit：Aftersnows

In the file agentscope\\web\\workstation\\workflow_utils.py, there is a callback function named is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands.

This vulnerability can be exploited by accessing the AS Studio panel, and it presents a severe threat.

The function call chain is as follows:

_convert_to_py(content: str,**kwargs,) ->
build_dag(cfg)->
dag.add_as_node(node_id, node_info, config)->
node_cls(node_id=node_id,
opt_kwargs=node_info["data"].get("args", {}),source_kwargs=node_info["data"].get("source", {}),dep_opts=dep_opts,)->
node_opt.compile()

This vulnerability appeared in a rather interesting way. I discovered it within the Workflow component, and let me analyze it. The developer likely intended to automatically determine the properties of certain elements. In the Workflow DAG (Directed Acyclic Graph), whenever a node is added, the following operation occurs:

 node_opt = node_cls(
            node_id=node_id,
            opt_kwargs=node_info["data"].get("args", {}),
            source_kwargs=node_info["data"].get("source", {}),
            dep_opts=dep_opts,
        )

        # Add build compiled python code
        compile_dict = node_opt.compile()

The key point lies in the node_opt.compile() method, which iteratively calls the compile method of the WorkflowNode subclass. Let me give you the DialogAgentNode class's compile method.

def compile(self) -> dict:
        return {
            "imports": "from agentscope.agents import DialogAgent",
            "inits": f"{self.var_name} = DialogAgent("
            f"{kwarg_converter(self.opt_kwargs)})",
            "execs": f"{DEFAULT_FLOW_VAR} = {self.var_name}"
            f"({DEFAULT_FLOW_VAR})",
        }

The kwarg_converter method contains the following code execution:

    for key, value in kwargs.items():
        if is_callable_expression(value):

You can see that it invokes the is_callable_expression for all properties under the data attribute, leading to uncontrolled command execution.

Note that here I've just randomly chosen a WorkflowNode subclass to demonstrate the attack; in fact, any WorkflowNode subclass that calls kwarg_converter in its compile method is vulnerable to this attack.

Proof of Concept

Use the following command to start the environment:

as_studio
<http://127.0.0.1:5000>

You can choose to send a POST request, or as shown in my diagram below, you can use the functionality on the panel to run it.

If you do not have an actual diagram to reference, you might adjust the sentence to:

You can choose to send a POST request, or as I will illustrate below, you can use the features on the panel to run it.