Langflow AI产品AST代码解析执行RCE漏洞分析<\/h1>

漏洞概述<\/h2>
Langflow是一款AI产品，在其AST(抽象语法树)代码解析执行过程中存在远程代码执行(RCE)漏洞。该漏洞源于对`decorator<\/code>(装饰器)和参数注入的不当处理，使得攻击者能够通过精心构造的输入执行任意代码。<\/p>`

漏洞背景<\/h2>
AST解析执行的风险<\/h3>
AST(Abstract Syntax Tree)是源代码抽象语法结构的树状表示。当AI产品需要对代码进行分析、转换或执行时，通常会先将代码解析为AST，然后对AST进行操作。<\/p>
问题出现在：<\/p>

Langflow在处理用户提供的代码时，未充分验证和清理AST节点<\/li>
允许执行动态生成的AST结构<\/li>
对装饰器和参数注入缺乏安全限制<\/li>
<\/ol>
装饰器的安全隐患<\/h3>
装饰器是Python中一种强大的语法特性，可以修改函数或类的行为。然而，不当的装饰器使用可能导致：<\/p>
@eval<\/span>('__import__("os").system("rm -rf \/")'<\/span>)
<\/span><\/span>def<\/span> malicious_function<\/span>():
<\/span><\/span>    pass<\/span>
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
漏洞产生点<\/h3>


AST解析阶段<\/strong>：<\/p>

未对用户输入的代码进行充分过滤<\/li>
允许执行包含危险节点的AST（如eval<\/code>、exec<\/code>、__import__<\/code>等）<\/li>
<\/ul>
<\/li>

装饰器处理<\/strong>：<\/p>

装饰器参数未经验证直接执行<\/li>
装饰器本身可以包含动态代码<\/li>
<\/ul>
<\/li>

参数注入<\/strong>：<\/p>

通过参数传递恶意构造的字符串<\/li>
这些字符串最终被解析为可执行代码<\/li>
<\/ul>
<\/li>
<\/ol>
攻击向量<\/h3>


直接代码注入<\/strong>：<\/p>
# 通过装饰器注入<\/span>
<\/span><\/span>@malicious_decorator<\/span>(param=<\/span>'; import os; os.system("calc")'<\/span>)
<\/span><\/span>def<\/span> target_function<\/span>():
<\/span><\/span>    pass<\/span>
<\/span><\/span><\/code><\/pre><\/li>

AST节点注入<\/strong>：<\/p>
# 构造恶意AST节点<\/span>
<\/span><\/span>import<\/span> ast
<\/span><\/span>malicious_node =<\/span> ast.<\/span>Call(
<\/span><\/span>    func=<\/span>ast.<\/span>Name(id=<\/span>'eval'<\/span>, ctx=<\/span>ast.<\/span>Load()),
<\/span><\/span>    args=<\/span>[ast.<\/span>Str(s=<\/span>'__import__("os").system("whoami")'<\/span>)],
<\/span><\/span>    keywords=<\/span>[]
<\/span><\/span>)
<\/span><\/span><\/code><\/pre><\/li>

动态导入利用<\/strong>：<\/p>
# 通过__import__动态加载危险模块<\/span>
<\/span><\/span>@dynamic_import<\/span>(module=<\/span>'os'<\/span>, function=<\/span>'system'<\/span>, args=<\/span>['rm -rf \/'<\/span>])
<\/span><\/span>def<\/span> dummy<\/span>():
<\/span><\/span>    pass<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞利用<\/h2>
基本利用步骤<\/h3>

识别Langflow中接受代码或AST输入的接口<\/li>
构造包含恶意装饰器或参数的代码片段<\/li>
通过API或UI提交恶意输入<\/li>
触发AST解析和执行流程<\/li>
<\/ol>
高级利用技术<\/h3>


AST节点替换<\/strong>：<\/p>

修改现有AST中的无害节点为恶意节点<\/li>
利用AST的NodeTransformer<\/code>类进行自动化替换<\/li>
<\/ul>
<\/li>

装饰器链攻击<\/strong>：<\/p>
@decorator1<\/span>
<\/span><\/span>@eval<\/span>('__import__("subprocess").getoutput("id")'<\/span>)
<\/span><\/span>@decorator2<\/span>
<\/span><\/span>def<\/span> victim_function<\/span>():
<\/span><\/span>    pass<\/span>
<\/span><\/span><\/code><\/pre><\/li>

元类滥用<\/strong>：<\/p>
class<\/span> MaliciousMeta<\/span>(type):
<\/span><\/span>    def<\/span> __new__(cls, name, bases, namespace):
<\/span><\/span>        import<\/span> os
<\/span><\/span>        os.<\/span>system('malicious_command'<\/span>)
<\/span><\/span>        return<\/span> super().<\/span>__new__(cls, name, bases, namespace)
<\/span><\/span>
<\/span><\/span>class<\/span> VictimClass<\/span>(metaclass=<\/span>MaliciousMeta):
<\/span><\/span>    pass<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
防御措施<\/h2>
代码层面防护<\/h3>


AST节点过滤<\/strong>：<\/p>
SAFE_NODES =<\/span> {ast.<\/span>Expr, ast.<\/span>Assign, ast.<\/span>Name, ...<\/span>}
<\/span><\/span>
<\/span><\/span>def<\/span> validate_ast<\/span>(node):
<\/span><\/span>    if<\/span> type(node) not<\/span> in<\/span> SAFE_NODES:
<\/span><\/span>        raise<\/span> SecurityError(f<\/span>"Unsafe node type: <\/span>{<\/span>type(node)}<\/span>"<\/span>)
<\/span><\/span>    for<\/span> field, child in<\/span> ast.<\/span>iter_fields(node):
<\/span><\/span>        validate_ast(child)
<\/span><\/span><\/code><\/pre><\/li>

装饰器限制<\/strong>：<\/p>

禁用动态装饰器<\/li>
只允许预定义的安全装饰器<\/li>
<\/ul>
<\/li>

沙箱执行<\/strong>：<\/p>
from<\/span> RestrictedPython import<\/span> compile_restricted
<\/span><\/span>try<\/span>:
<\/span><\/span>    bytecode =<\/span> compile_restricted(source, '<inline>'<\/span>, 'exec'<\/span>)
<\/span><\/span>except<\/span> SyntaxError<\/span> as<\/span> e:
<\/span><\/span>    raise<\/span> SecurityError(f<\/span>"Unsafe syntax: <\/span>{<\/span>e}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
架构层面防护<\/h3>


最小权限原则<\/strong>：<\/p>

使用低权限用户执行AI代码<\/li>
限制文件系统、网络访问<\/li>
<\/ul>
<\/li>

输入验证<\/strong>：<\/p>

白名单验证所有输入参数<\/li>
禁止特殊字符和关键字<\/li>
<\/ul>
<\/li>

审计日志<\/strong>：<\/p>

记录所有代码执行请求<\/li>
监控异常执行模式<\/li>
<\/ul>
<\/li>
<\/ol>
CodeQL检测规则<\/h2>
基本检测思路<\/h3>

识别AST解析执行点<\/li>
查找未经验证的用户输入流向这些执行点<\/li>
检测危险AST节点和装饰器使用<\/li>
<\/ol>
示例规则<\/h3>
import python

from DataFlow::PathGraph Node, DataFlow::PathNode source, DataFlow::PathNode sink
where
  \/\/ 定义危险接收器 - AST执行点
  exists(DataFlow::CallNode call |
    call.getTarget().hasName(["eval", "exec", "ast.literal_eval"]) and
    sink.asExpr() = call.getAnArgument()
  ) or
  exists(DataFlow::CallNode call |
    call.getTarget().hasQualifiedName("ast", "parse") and
    sink.asExpr() = call.getAnArgument()
  )
  and
  \/\/ 定义用户可控的源
  source.asParameter() = any(UserControlledInput input).getParameter()
  and
  \/\/ 数据流路径
  DataFlow::localPath(source, sink)
select sink, "Potential RCE via AST parsing from user input"
<\/code><\/pre>
总结<\/h2>
Langflow的RCE漏洞揭示了AI产品在处理代码解析和执行时的常见安全隐患。通过深入理解AST操作、装饰器机制和参数注入，安全研究人员可以更好地识别和防御此类漏洞。开发者应当：<\/p>

严格验证所有用户提供的代码和参数<\/li>
限制AST解析和执行的权限<\/li>
实施沙箱环境执行不可信代码<\/li>
使用静态分析工具(如CodeQL)进行自动化检测<\/li>
<\/ol>
对于安全团队，建议将此类漏洞模式纳入AI产品的安全测试用例库，并在SDL流程中加入专门的AST解析安全检查点。<\/p>

Langflow AI产品AST代码解析执行RCE漏洞分析<\/h1>

漏洞概述<\/h2> Langflow是一款AI产品，在其AST(抽象语法树)代码解析执行过程中存在远程代码执行(RCE)漏洞。该漏洞源于对decorator<\/code>(装饰器)和参数注入的不当处理，使得攻击者能够通过精心构造的输入执行任意代码。<\/p>

漏洞分析<\/h2>

漏洞利用<\/h2>

防御措施<\/h2>

CodeQL检测规则<\/h2>

漏洞概述<\/h2>
Langflow是一款AI产品，在其AST(抽象语法树)代码解析执行过程中存在远程代码执行(RCE)漏洞。该漏洞源于对`decorator<\/code>(装饰器)和参数注入的不当处理，使得攻击者能够通过精心构造的输入执行任意代码。<\/p>`